Theory — Sentinel Playbooks and SOAR
Theory — Sentinel Playbooks and SOAR
In the previous lab, you created analytics rules that fire when conditions are met. In the tuning page, you learned how to reduce noise so those rules produce quality alerts. But what happens after an alert fires?
SOAR (Security Orchestration, Automation, and Response) is where Microsoft Sentinel becomes operational — it lets automated workflows respond to incidents without human intervention.
What Are Playbooks?
A playbook in Microsoft Sentinel is an Azure Logic App that runs when triggered by an incident or alert. It can perform actions across multiple systems:
- Block a malicious IP at a firewall or network security group
- Disable a compromised user account in Entra ID
- Send a message to Microsoft Teams or Slack
- Create a ticket in ServiceNow, Jira, or Azure DevOps
- Collect additional data (whois lookups, VirusTotal scans)
- Isolate a compromised VM from the network
Playbooks are built using Azure Logic Apps — visual workflows that connect to hundreds of services without writing code.
How Playbooks Work
The flow is: Incident created → Automation Rule evaluates conditions → Playbook triggered → Actions executed.
Common Playbook Examples
1. Block Malicious IP at NSG
When an analytics rule detects a malicious IP address, the playbook:
- Extracts the IP from the incident entities
- Finds the Network Security Group (NSG) protecting the resource
- Adds a deny rule for that IP
# Pseudocode — what the playbook logic does
malicious_ip = incident.entities.get_ip_address()
nsg = get_nsg_for_resource(incident.resource_id)
nsg.add_deny_rule(malicious_ip, priority=100)
log(f"Blocked {malicious_ip} in NSG {nsg.name}")2. Disable Compromised User
When a rule detects suspicious sign-in activity:
- Extracts the user principal name from the incident
- Disables the account in Entra ID
- Forces password reset on next login
- Sends notification to the security team and the user's manager
3. Enrich with Threat Intelligence
When a new incident is created:
- Extracts entities (IPs, domains, file hashes)
- Queries threat intelligence feeds (Microsoft Defender TI, VirusTotal, AlienVault OTX)
- Adds threat indicators to the incident
- Updates severity based on threat intelligence match
4. Notify and Escalate
When a High-severity incident is created:
- Sends message to Microsoft Teams channel
- Creates Azure DevOps work item
- Sets incident priority based on rules
- Assigns to the on-call analyst (rotation-based)
Automation Rules vs. Playbooks
| Feature | Automation Rules | Playbooks |
|---|---|---|
| Scope | Manage incidents within Sentinel | Interact with external systems |
| Actions | Tag, change severity, create tasks, send email | Block IPs, disable users, update tickets, query APIs |
| Complexity | Simple, no-code | Complex workflows (Logic Apps) |
| Use case | "I want to tag this incident" | "I want to block this IP and notify the team" |
Automation rules are for managing incidents. Playbooks are for responding to them. They work together — an automation rule can trigger a playbook.
AI-Assisted Playbook Creation
Microsoft Sentinel includes tools that help you create and manage playbooks more efficiently:
- Template-based creation: Start from pre-built playbook templates for common scenarios (alert triage, incident enrichment, automated response)
- AI-assisted guidance: The portal provides suggestions based on your incident data and recommended actions
- Built-in connectors: Pre-configured connectors for Microsoft Teams, ServiceNow, Jira, and other common tools
To create a playbook:
- Navigate to the Playbooks page in Microsoft Sentinel
- Click Create from template or start a new playbook
- Choose your trigger (incident created, alert fired) and configure actions
- Review and test before deploying
Note: Playbooks run as Azure Logic Apps. Always review generated code for security issues before using it in production.
When to Use Playbooks
| Scenario | Use Playbook? | Why |
|---|---|---|
| Block known-bad IP at firewall | Yes | Fast, automated, repeatable |
| Notify team of new incident | No — use automation rule | Simpler, built-in |
| Disable compromised account | Yes | Time-sensitive, needs external system access |
| Create ticket in ServiceNow | Yes | Integrates with external workflow |
| Enrich with threat intel | Yes | External API calls needed |
Rule of thumb: If the response requires interacting with an external system or performing multi-step logic, use a playbook. If it's managing the incident within Sentinel, use automation rules.
Key Takeaways
- Playbooks are Azure Logic Apps triggered by Sentinel incidents — they automate responses across multiple systems.
- Common playbooks: block IP, disable user, enrich with threat intel, notify and escalate.
- Automation rules manage incidents; playbooks respond to them. They work together.
- Use templates and AI-assisted guidance to create playbooks efficiently; always review before deploying.
- Not every alert needs a playbook — start with automation rules for simple tasks.