Closing an incident based on SOC analyst input
- You need to have access to Microsoft Sentinel with appropriate permissions (Microsoft Sentinel Contributor, Logic App Contributor, and permission to assign RBAC controls – Owner or User Access Administrator).
- You will need at least one Microsoft Exchange Online license user. You can add a trial for Microsoft Office 365 using the same tenant of your Azure subscription.
Creating a playbook
In the previous example, we saw how we can create a playbook to auto-close incidents so that SOC analysts don’t lose time investigating an IP address at all. While this is great when we have one IP address in an incident, it can be problematic if there are multiple IPs and some are on the watchlist while some are not. In our previous example, the incident would auto-close even if there were multiple detected IPs in an incident, but only one is in our watchlist. So, if there...