In this chapter, we dug deep into Microsoft Sentinel automation and dissected each element. First, we focused on automation rules and their main elements – triggers, conditions, and actions – and how they define automation rule runs. We also covered permissions and ways to create automation rules. Then, we moved on to the topic of playbooks, where we focused on their main elements – triggers, actions, and dynamic content – as well as underlying information such as connectors, permissions, and authentication methods.
At the end of this chapter, we focused on the critical topic of automation health and how to monitor it using Microsoft Sentinel functionalities.
In the next chapter, we will begin our hands-on examples. We will focus on enriching incidents so that we can speed up MTTA and MTTR in Microsoft Sentinel.