Hey friends, automation in Azure Sentinel is really powerful, but did you know that you don't have to create full-blown playbooks and logic apps to be able to use it? Sarah Young and her boss Mina are back to show me what's new in Azure Sentinel. Today on Azure Friday. Hey friends, I'm Scott Hanselman and it's Azure Friday. I'm here with Sarah Young and we're going to learn all about Azure Sentinel. How are you? I'm good Scott and thanks for asking. Obviously, really super excited to be back on Azure Friday's a little bit different from last time we did it a few years ago. Yeah, it is a little bit different but we are making it possible through the cloud and the power of technology and I'm still going to get to learn about all the great stuff that you're working on so it's a win for me. Yeah, me too. And it's always nice to catch up and see how everyones going. Seeing as I can't do things in person at the moment but fingers crossed sometime soon indeed. So, you've got a cool demo for me and you're going to help me understand how to like, you know, better think about Playbooks because I have a away in my mind that I think these things work and you maybe have some better solutions for me. Yeah, so I just want to know is. It's been growing in leaps and bounds since the last time we talked about it. Last time I talked to you, it was still in public preview. It's now GA. Sentinel's about it's coming up on its second birthday. If if a product can have a birthday, so I wanted to talk to you, 'cause last time we talked about the automation. But it's grown up and evolved so much since then. I wanted to show you what's changed and how we can do automation even more easily now in Sentinel. We think about Sentinel primarily as an automation tool, primarily security, like when I think Sentinel. It's like it's watching over me and it's thinking about anything that could go wrong from a security perspective. It's primarily about security, right? Yeah, so exceptional is two things. It's eight seem or SIEM depending on what part of the world you're in. So security, information and event management. And it's also a SOAR. Also SOAR. So that's security automation. Oh no, sorry, security orchestration, automation and response. New, I'd get that wrong first time we did it, and so it does the monitoring side of things, but it can also do. The remediation, traditionally, these tended to be two separate products that you'd have to buy and integrate. But with Sentinel you get it all in one interesting. OK, so it's watching events and also potentially doing something about those events, and it's all in one single tool. Yes, that's right. Very cool, OK? So what I wanted to show you was our automation blade. Now this is it was until recently it was just called Playbooks, because all we would do is use the playbooks, which is something which is part of logic apps. Now we use playbooks and logic apps for automation throughout the rest of Azure as well. So it might be something you're already familiar with. But what I wanted to talk about was automation rules. Now 'cause sometimes automation rules are like quick ways. To do some really basic automation because playbooks are great but it is a bit of effort to go in, create a playbook, set up all the connectors and make it do something. And sometimes you just need the automation to do something really really quick. So if I show you this is my, this is my automation rule that I made his one I made earlier. So what we've got here is an automation rule and basically what it will do is when an incident created I can pick. And analytics rule. Now I have a rule called suspicious deployment of new playbooks. So what the rules looking for is any new playbooks that have been deployed that maybe shouldn't have been. But I've also said for the condition if the IP address equals my IP address. Now I know you can't see that. But uhm. If it if that IP address is found within the automation rule, then we need. You just need to close it now. There's actually a lot of different actions you can take here. I'm using the change status and I'm putting it to closed and then it also says a false positive. You can also put here the reason. So I'm going to put false positive, inaccurate data. But I'm also just going to write here. Sarah is doing her test, So what that means is when these conditions are met, this automation rule if an incident. Reason it meets these or the conditions, the automation rules going to automatically close the incident now, as I said, there's some other things we can do here, but I'll just show you this specific incident now you can see I'm only looking at the close incidents at the moment, so I'm just at the open incident. Sorry, so I'm going to have a look here and if I open this up you can see that I've actually triggered this incident and. The the automation rule has automatically closed it, and for this one has put its false positives. Sarah is doing her tests so it can be. Sometimes you might be using it for testing or it might be a known issue in your environment. Because in in, in a perfect world you wouldn't trigger an incident for something that wasn't an incident. But we know in real life sometimes there might be a particular user or host name or host. Or something that's triggering your analytics rules, and sometimes we can filter that out in the actual rule logic itself occasionally we can't, so we can actually use the automation rules to be able to just close it off. I have had some customers do that. Yeah, I mean if you've got a particular search spider who's overly aggressive, that could kick something off if the behavior or the structure of a URL that you're doing for some tests. If you're running some play right or. Selenium tests, it might cause behavior to make things look unusual and and those would all be reasonable things where you would want to go and have an automation rule that says. Now that's cool. Yeah, exactly and the other. Great thing we can do with automation rules is you can use it to kick off a new playbook. So so if you need something that's actually more in depth and you need a playbook which is more complicated automation, you can actually say hey if we see this. Rules, I'm just picking dynamics 365 run a playbook so and then we can pick the playbook from here. Something that I wanted to point out 'cause it catches out a load of people. You'll see here that when I go to select a playbook it says that I don't have permissions now the this is something that catches a lot of people out. That's because to run Playbooks it's different permissions to running things within Sentinel you need to have logic apps permissions. So because this is something that. Happens a lot. You can actually just come straight into here and I just pick my resource group, my Sentinel one and apply. And it's going to automatically add those logic app permissions when it's done that you can see if I go back now these aren't grayed out and I can select one of these playbooks to add into the automation rule and it's it's we're trying to make it really nice and easy, but it's something that's called a couple of people out. While this is new so. Just wanted to show you how you can add those permissions in straight from the automation rule to make it really easy to run the playbook from from the rule. How are people doing this before they were just making logic apps and kind of cobbling these behaviors together? So that's a really good question, Scott. So what you can do and you can still do this, but I'll show you is that what you can do is on an analytics rule now analytics rules are the rules that trigger incidents. So if we have a look at this this analytics role here and this is still valid, we can do automated response. So what we can do here is we we can actually add a playbook directly to the rule and that might. And that's still a completely valid way of doing things. If if you want to just automatically run the playbook straight from the rule trigger you can, but what the automation rules allow you to do is maybe do some filtering saying you know only. From this playbook, if these conditions are met so it makes it a little bit more smart rather than a blanket run this playbook run this playbook run this playbook. Yes, you can certainly still go in here and the configuration of your analytics rule and do that and you can see here. Actually you can add an automation rule in here as well. It's another way to do the same thing I was showing you before because you can see here we have the automation rule that I have added. So yeah, it's a slightly different way of doing it. The old way of doing it still perfectly. Valid, but you can put a little a few more smarts in it, which is always useful. Yeah, I think that having it upfront in in the main blade makes a lot more sense and the option for filtering whether you choose to use it or not has a lot more value, so I can definitely see why I would want to move my my stuff over to the new way. Yeah, so that's the we're doing. Some really cool things in automation and then something that we've just released just to wrap, often drowned out all the automation we have is Playbook templates now. So of course we do have Playbook templates. Actually you may have seen them. We do have them in our GitHub repo here. The Sentinel GitHub repo, but what you need to do is go into them here and you would deploy them. From the Sentinel GitHub, and that's still a perfectly valid way of doing it. We have arm templates if you click on one of those links, it's going to bring the template into your into your tenant. But what we have with everything else in Sentinel is we have gallery's within the product itself, so we have it for our workbooks. We have it for analytics rules, but we didn't have it for playbooks, but now I'm really pleased to say we do have a playbooks gallery. So all of those. Things that you see in the GitHub now in the UI itself, so you can see here that we can. I've already got one of them. I've deployed it this block as your ID user, but here you can see we've got advance ServiceNow teams integration, so it gives you a description of the playbook. It tells you the different connectors, the logic app connectors were going to use and it will also give you an idea of some of the prerequisites you need as well. So for this one. I'm just gonna deploy here the block AAD user for an incident because we do have different triggers, we have incident triggers and alert triggers. They are subtly different, probably not the time to explain exactly right now the difference, because I'll be here for a long time, but you can see when I Click to go into the deployment, I pick my subscription, my resource group, my region. I can change the playbook name if I want to. We can turn on diagnostics. Logs that allows us to monitor the health of the the playbook. That is something that definitely some customers are interested in being alerted on if their log analytics it. Sorry if the their logic app isn't working and then we add the connections here. Some of them are added automatically so we've got a D and Sentinel some. You do need to create after your deployment. It is a bit context sensitive. You know, it'll tell you in the UI, and then like every other, every single other Azure resource in the world, we will create it and then it's going to take me to the logic apps designer and if we give it a second, it will send me over there and then we can see what's actually been deployed into the workspace. Cool to see how different products in Azure build on top of different products in Azure and it's very seamless how they all build on top of each other exactly so we can see here. We've got now our logic app. It's been created and we've got all the different steps and so again just a really nice easy way to deploy templates that have been created. They've all been reviewed by Microsoft Engineering. Some of them have been created by engineering, some come from our partners, but there are really great. Way to stop getting used to and getting familiar with how you can do some some automation in Sentinel. And yeah, that's that's probably everything I've got to show you this time. Scott, I could go on for a long time, but I should probably leave it there. Well I appreciate that. Well, the folks who watch Azure Friday know that after the episode that they can go and check out the docs, they can check out the tutorial they can check out the GitHub repository and take a look at those runbooks and see the code behind those runbooks. And this has been super helpful. Glad that a lot of cool stuff has been happening in the Azure Sentinel space. Yeah, it's always lots of stuff happening we it's always worth keeping an eye on it 'cause it's still a pretty young product in in Azure terms, so there was lots of cool things coming. And yeah, he even sometimes I struggle to keep up and I work Sentinel everyday. So very cool. Well I've been learning all about how to automate my security response with Azure Sentinel, today on Azure Friday. Hey, thanks for watching this episode of Azure Friday. Now I need you to like it, comment on it, tell your friends, retweet it, watch more Azure Friday.
