Managing Incidents with Automation
In the previous chapter, we introduced how to use Microsoft Sentinel and then moved on to hands-on examples.
The first hands-on example involved enriching an incident that contained an IP address with information from VirusTotal. We used an alert trigger and went step by step from there, from creating a playbook to testing it.
The second example used URL enrichment, and we used a different approach to the IP enrichment example. We used an incident trigger for our playbook and went step by step through the usual process of creating the playbook.
This chapter will focus on how to manage incidents by utilizing automation.
This chapter will cover the following:
- Auto-closing known false-positive incidents using a watchlist
- Closing an incident based on SOC analyst input
- Auto-closing incidents using automation rules