Monday, May 9, 2022

Unleash the Power of Modern SecOps with Microsoft Sentinel SOAR

Protecting the modern enterprise from increasing cyberthreats requires a modern approach to SecOps – an approach powered by intelligence and automation. Security operations teams simply cannot scale to meet today’s security challenges, resulting in overworked security analysts, unaddressed security alerts, and undetected threats. By empowering SecOps teams to work smarter, not harder; Microsoft Sentinel can enable them to stay ahead of emerging threats and respond more quickly to attacks.


Unified SIEM + SOAR with Microsoft Sentinel 

Microsoft Sentinel brings together data, analytics, and workflows to unify and accelerate threat detection and response across your entire digital estate. With in-built security orchestration, automation, and response (SOAR) capabilities, along with built-in user and entity behavior analytics (UEBA) and threat intelligence (TI), customers get a complete solution for SecOps that is both easy and powerful -- at a fraction of the cost and hassle of standalone SIEM and SOAR solutions. Microsoft Sentinel offers: 

  • AI-Powered Incident Response: Automatically correlate alerts and anomalies using ML-based fusion to find hidden threats and create prioritized incidents. Enrich incidents with user and entity behavioral insights and intelligence. Search across all your data, including archived logs, and add related events to an incident. Use the investigation graph to discover relationships between alerts, events and entities, and leverage the incident timeline to quickly understand the full attack story.
  • Integrated Threat Intelligence: Bring your own TI or leverage Microsoft and RiskIQ TI to detect threats, prioritize investigations, and speed response. Create, view, search, filter, sort, and tag all your threat indicators to easily track top threats targeting your organization.
  • Smart Automation Workflows: Centrally manage automated incident response across your security operations center (SOC) by creating ordered workflows containing a mix of built-in actions (prioritize, assign, close and tag incident) and playbooks. Leverage hundreds of out-of-the-box playbook templates to integrate with your IT and security systems or create your own using a visual playbook designer. Trigger playbooks automatically when an incident is created or on demand during an investigation.
  • Incident Case Management: Unify incident management across multiple workspaces and orgs.  Manage incident assignments, track status and comments, and maintain full audit and RBAC on any action taken. Collaborate easily with bi-directional Microsoft Teams integration, and integrate with ServiceNow, Jira and other tools.
  • SOC performance tracking and measurement: Track important metrics and KPIs (MTTR and MTTA) with the out-of-the-box SOC efficiency workbook. New workbooks can be created and customized with many visual options, exported to facilitate reporting and can used for tracking across multiple workspaces and orgs.


New SOAR Capabilities 

Continuing our journey, we are happy to announce new SOAR capabilities now available in Microsoft Sentinel that leverages entity and rule context.

  • Additional options for triggering automation (Public Preview): You can now trigger an automation workflow and playbooks when an incident is updated, which allows you to notify relevant analysts when incidents are assigned/updated by email or Microsoft Teams. In addition, a new manual incident trigger allows analysts to run incident playbooks on demand, simplifies testing of new flows and allows analysts to view the run history of automation on an incident.  
  • LogicApp standard support (Public Preview): Allows customers to use the new and powerful version of the LogicApp platform. Some of the benefits of Standard are fixed pricing, single app with multiple workflows, easier API connections management, native network capabilities such VNet and private endpoints support, built-in CI/CD features, better Visual Studio integration, a new version of the Logic Apps designer and more.
  • Relate alert to incident (Public preview): Allows analysts to manually add or remove an alert from an incident as part of the investigation process. This feature will allow analysts to uncover larger, more complex attacks as the investigation reveals information.
  • 100 workspaces/tenants support for incidents management (GA): Allows analysts to view incidents across up to 100 (previously 30) Sentinel workspaces, thus extending incident management for distributed organizations, partners and MSPs.


An empowered SecOps Team 

Microsoft Sentinel customers are realizing material gains in SOC efficiency by leveraging the SOAR capabilities above, freeing up SOC personnel for more in-depth investigation and hunting for advanced threats. Microsoft Sentinel is helping customers:

  • Focus on real threats with AI that reduces false positives by 79%1
  • Automatically resolve 30% of incidents   
  • Reduce mean time to respond (MTTR) from hours to minutes 

Source:1The Total Economic Impact™ Of Microsoft Sentinel  


Learn More

Microsoft is committed to empowering our customers with security tools and platforms to enable critical protection for your organization and users. To learn more about Microsoft Sentinel + SOAR please refer to: 

  1. Microsoft Sentinel: 
  2. SOAR in Microsoft Sentinel: Introduction to automation in Microsoft Sentinel | Microsoft Docs 
  3. Learn More: Microsoft Sentinel documentation | Microsoft Docs 
  4. SIEM + SOAR infographic:  Optimizing SecOps with Microsoft Sentinel
  5. Customer Success Stories: 

Together we can make the world a safer place. 


Posted at