Automated false-positive incident closure with a watchlist
- You need to have access to Microsoft Sentinel with appropriate permissions (Microsoft Sentinel Contributor, Logic App Contributor, and permission to assign RBAC controls – Owner or User Access Administrator)
Creating a playbook
Let’s use the same strategy we used with our hands-on example in the previous chapter. First, we will list what we want to do and then do it step by step:
- We need a watchlist that contains an IP address. We have one called
MaliciousIP, created in Exercise 1 in the previous chapter. You should create a new watchlist called
AllowedIPand use the same IP.
- We will need a detection rule with an IP address. We created one in Exercise 1 in the previous chapter...