In this chapter, we continued with hands-on examples and focused on how to respond to incidents using playbooks, and how we can utilize our enrichment playbooks to decide how to respond.
In the first example, we used a playbook to block a user in Azure AD when we had a sign-in from a suspicious location, and we used our MaliciousIP watchlist to check whether that IP was malicious. Plus, we had a comment from the
VirusTotal-IPEnrichment-alertTrigger playbook (which we created in Chapter 6) to get information from VirusTotal as well.
The second example focused on our response when malware was detected on one of our machines. We utilized MDE and its evaluation lab to generate incidents, sync them to Sentinel, and respond to isolate the machine in MDE itself.
In our final chapter, we will provide a few important tips and tricks for working with Microsoft Sentinel playbooks. If you decide to go even deeper into Microsoft Sentinel playbooks, these tips and tricks will save...