The first step to setting up automation is configuring alerts. Alerts in Microsoft Security Center are system warnings about detected anomalies or potential security issues.
Alerts can be set up through the ‘Security Alerts’ blade in the Azure portal. For instance, to create an alert based on a log search:
- On the Azure portal, navigate to ‘Monitor’, then click on ‘Alerts’, and finally ‘New Alert Rule’.
- Select a target resource to assign the alert rule.
- In the condition section, click ‘Add’ and select ‘Custom log search’.
- From here, you can input the specific log query that would trigger the alert along with the threshold for its execution.
Incident Configuration
Incidents represent an aggregation of several alerts related to a particular attack or security issue. They provide a consolidated view of all the components that are part of a particular security event.
In Microsoft Security Operations, you can define incident settings and customize how incidents are created. In the Security Center settings under “Workflow automation,” you can specify the logic behind your incident creation. You can select specific alerts to trigger incident creation, or you can group by various entities like IP address or host.
Triggering Automation
After you configure alerts and incidents, you can utilize them to trigger automation, which is achieved through Playbooks in Azure. Playbooks, part of Azure Logic Apps, allow the creation of a sequence of procedures to be automated.
Under the security playbook settings, you can set up rules to watch for any generated security alerts. When an alert is generated, it triggers the playbook, executing the defined automation steps.
Below is an example of an Azure Logic App setup:
- Navigate to the main Logic App page on Azure and click “Add”.
- Select a name, subscription, resource group, and location for your Logic App.
- On the Logic Apps Designer, choose your trigger – in this case, “When a response to an Azure Sentinel alert is triggered.”
- Design your playbook based on the desired actions. For instance, you might want the system to deliver email notifications, block IP addresses, or even adjust user settings.
In sum, configuring alerts and incidents to trigger automation is fundamental in the efficiency of a Security Operations Analyst’s role. By leveraging the powerful tools provided by the Azure Security Center and Azure Sentinel, it is possible to automate much of the first-line response to security events, freeing up time for more complex problem solving. Make sure you grasp this concept well as you continue your preparation for the SC-200 exam.
Practice Test
True/False: Alerts in Microsoft Security Operations are triggered based on the severity of the incident.
- True
- False
Answer: True.
Explanation: Alerts in Microsoft Security are indeed triggered based on the severity of the incident. The severity can be High, Medium, or Low.
Which of the following options are a part of incident settings in Microsoft Security Operations? (Multiple Select)
- A. Alert grouping
- B. Automation rules
- C. User role assignment
- D. Threat intelligence
Answer: A, B, D.
Explanation: Alert grouping, automation rules, and threat intelligence are components of incident settings. User role assignment is typically in the purview of access management.
True/False: Automation rules in Microsoft Security can be configured to apply to all alerts without any filters.
- True
- False
Answer: True.
Explanation: Automation rules can be applied to all alerts if no filters are specified. This could potentially streamline responses to certain common or recurring situations.
What action CANNOT be automated using the automated incident response in Microsoft Security Operations?
- A. Assign the incident to a user.
- B. Change the status of an incident.
- C. Send an email notification.
- D. Automatically resolve all incidents.
Answer: D. Automatically resolve all incidents.
Explanation: While automated incident response offers a variety of actions, it does not have the ability to automatically resolve all incidents. This requires analysis and action by security personnel.
Which of the following cannot trigger an automated response?
- A. Incident Start
- B. Incident Assignment
- C. Incident Closure
- D. Incident Verification
Answer: D. Incident Verification
Explanation: Incident Start, Incident Assignment, and Incident Closure can trigger an automated response but Incident Verification is not a triggering action in Microsoft Security Operations.
True/False: You can use Azure Logic Apps to configure alerts and incidents to trigger automation.
- True
- False
Answer: True.
Explanation: Azure Logic Apps is a cloud service that helps you automate and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations.
Single choice: Which of the following is NOT a stage of Advanced automated response workflows in Microsoft Security Operations?
- A. Trigger
- B. Approval
- C. Review
- D. Run
Answer: C. Review
Explanation: Review is not a stage in the advanced automated response workflow. The stages are Trigger, Approval, and Run.
True/False: Microsoft Security Operations can only trigger automation based on internal security incidents.
- True
- False
Answer: False.
Explanation: Microsoft Security Operations can trigger automation based on both internal and external security incidents.
Multiple Select: Which of the following can be included in the automated response options of Security Operations?
- A. Change incident severity
- B. Initiate playbooks
- C. Generate incident reports
- D. Predict possible future incidents
Answer: A, B, C.
Explanation: While Security Operations can change the incident severity, initiate playbooks, and generate incident reports, it does not have the capability to predict possible future incidents.
True/False: Automation rules are applied to the incidents in the order they are listed.
- True
- False
Answer: True.
Explanation: Automation rules are indeed applied to incidents in the order they are listed. This applies whether you’re using the graphical interface or a PowerShell script.
Single Select: Who can create automation rules in Microsoft Security Operations?
- A. Administrators only
- B. Administrators and analysts
- C. All users
- D. Outsiders
Answer: B. Administrators and analysts
Explanation: In Microsoft Security Operations, only administrators and analysts have the privilege to create automation rules.
You can determine the order of rule execution by using which option?
- A. Priority.
- B. Severity.
- C. Status.
- D. Name.
Answer: A. Priority.
Explanation: Priority determines the order of rule execution in Microsoft Security Operations. Higher priority rules will be executed before the lower ones.
True/False: Automation rules in Microsoft Security Operations can also be applied to closed incidents.
- True
- False
Answer: False.
Explanation: Automation rules can only be applied to active or open incidents.
Configuration of automation rules is done to:
- A. Increase manual workload.
- B. Increase latency in response.
- C. Increase automation in incident response.
- D. Increase the occurrence of incidents.
Answer: C. Increase automation in incident response.
Explanation: Configuration of automation rules is done to automate as much of the incident response process as possible, reducing human intervention, thus increasing efficiency.
True/False: You can revert the action performed by an automation rule.
- True
- False
Answer: False.
Explanation: Actions performed by automation rules are not reversible. It is important to review and confirm automation rules before enabling them.
Interview Questions
What is the primary purpose of configuring alerts and incidents to trigger automation in Microsoft Security?
The primary purpose is to save resources and time by automating responses to certain security alerts, allowing for immediate action to be taken even if no human operator is available at the moment.
Can you list some of the actions that can be automated when an alert is triggered?
Yes, some actions that can be automated include running playbooks, sending notifications, closing false positive alerts, and assigning incidents to security analysts.
What component is most commonly used in Microsoft Security Operations to apply automation to alerts?
The most common component is the Azure Logic Apps which allow users to create and run workflows that integrate with various services and systems.
What is an Incident in Microsoft Security Operations?
An incident in Microsoft Security Operations is a collection of related alerts that outline the specific entity or user under attack and the threat involved, compiled into one investigatable unit.
How can automation help with incident management?
Automation can help with incident management by automatically assigning incidents based on specific criteria, notifying the appropriate parties, closing unimportant or resolved incidents, and even automatically remediating some types of incidents.
How can an analyst configure alerts to trigger automation?
An analyst can configure alerts to trigger automation using Azure Sentinel’s analytics rule: once the alert rule condition is matched, the automation rule might be triggered.
What is Azure Sentinel in the context of automation of alerts and incidents?
Azure Sentinel is a cloud-native security information and event management (SIEM) tool by Microsoft that provides intelligent security analytics and threat intelligence, and allows for automation by using playbooks.
How can automation help in reducing the number of false positive alerts?
Automation can help reduce the number of false positive alerts by configuring rules to automatically close known false positives based on specific criteria, allowing analysts to focus on genuine threats.
Can workflows be manually triggered in Azure Sentinel?
Yes, workflows in Azure Sentinel can be triggered manually as well as in an automated manner based on specific criteria or alerts.
How can incidents be automatically assigned in Microsoft’s security operations?
Incidents can be automatically assigned using rules in Azure Sentinel, which can route incidents to specific analysts or teams based on criteria such as the severity of the incident, the entities involved, or the type of alert that triggered the incident.
Can you automatically gather data from other systems when an incident occurs?
Yes, using Azure Logic Apps and playbooks, you can automatically gather data from other systems when an incident occurs to provide context and aid in the investigation.
What language is used to write queries for creating alert rules in Azure Sentinel?
Kusto Query Language (KQL) is used for writing queries to create alert rules in Azure Sentinel.
What role does Threat Intelligence play in automation of alerts and incidents?
Threat Intelligence feeds can be integrated into the system to provide additional context and automate responses to alerts and incidents based on the nature of the threat.
Can you automate the process of incident status updates in Microsoft Security Operations?
Yes, the status of incidents can be automatically updated based on configured playbooks and rules in Azure Sentinel.
What is the role of automation rules in incident management?
Automation rules are a critical part of incident management as they control how alerts are handled, how incidents are assigned and updated, and how they are eventually resolved.