Responding to Incidents Using Automation
In the previous chapter, we focused on incident management using automation.
The first hands-on example was to auto-close an incident with no analyst interaction. We utilized the watchlist feature in Microsoft Sentinel, where we stored our allowed IP address and compared it with IPs involved in the incident. Based on the result, we auto-closed the incident or left a comment stating that the IP was not on the watchlist.
The second example expanded on the first example. As incidents can have more than one IP, we utilized an approval email action to ask analysts whether the incident should be auto-closed or whether a further investigation would be needed.
The final example used the automation rule to auto-close incidents on incident creation if an IP matches our specific IP. One example of using automation could be to auto-close incidents during penetration testing when the SOC is not a part of it.
This chapter will focus on how to...