StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

How to use Azure Sentinel for Incident Response?

  • July 29, 2021
  • 7 min read
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.

Azure Sentinel

Azure Sentinel becomes a very popular SIEM platform for security IT teams to handle a growing number and complexity of security incidents. The SIEM platform is mandatory to be informed when an incident became true. But what about the incident response? This part is managed by Azure Sentinel as well. Indeed, Azure Sentinel is also a platform for Security Orchestration, Automation, and Response (SOAR).

SOAR is the natural evolution of SOC, driven by the automation of security operations. The SOAR platform is mandatory is you want to reduce the Mean-Time-To-Response. Moreover, you can manage more alerts with less security analyst and of course, you reduce the risk to not see important alerts.

Let us see in this guide how to automate response in Azure Sentinel. First, you must have a Sentinel workspace configured properly. In this guide, I will raise a test alert using Cloud App Security to explain how the incident response works. In Azure Sentinel, enable the data connector “Cloud App Security”

Cloud App Security

Once it is done, your Sentinel is linked to your Cloud App Security tenant, so you can go to the CAS portal, and create a new policy

Cloud App Security

Enter a friendly name for this policy and then, add the following filters

Filters for the policy

This policy will trigger and alert each time an API token will be generated. Before triggering a false alert, we must configure the incident response in that case.

In this guide, I use a Logic App to automate the response. By using Logic App as an automated response, it is called a playbook. A playbook is a collection of remediation actions that can be run from Azure Sentinel as a routine.

In the Azure Logic Apps section, click Create and edit the Logic App previously created

Azure Logic Apps

All you need to know about the Logic App pricing is here: The most important thing to understand when you work with Azure Sentinel and Logic App will be the trigger. Your Logic App must start with the Azure Sentinel trigger.

Logic Apps Designer

In this case, the Logic App will start only when a new incident appears in Azure Sentinel. It will be mandatory to automate incident response. You will need to sign in to create a connection to Azure Sentinel. You can use your account (not recommended), a service principal (I would recommend this one) or a managed identity.

A new incident appears in Azure Sentinel

Then you can build your incident response depending on your needs. If you need help or examples, you can refer to this documentation:

The following example from Microsoft can be a good starting point, it will send an email when a new alert is raised:

Alert - get incident

When you are happy with your Logic App, go to the Azure Sentinel workspace, click “Analytics” and search for “Cloud App”. This rule will trigger your Logic App when a new alert appears.

Azure Sentinel workspace

In the automated response tab, click “Add new” and select “Run playbook”. You should see your Logic App. Please note that if your Logic App is not visible or grayed out, it means that the Logic App trigger is not correct. You really need to use the following trigger

Automated response tab

Save the rule. Now we can generate a new token in Cloud App Security to create a false alert. Go to the settings, click “Security Extensions” and “Add token”

Generate a new token in Cloud App Security

You should see the following alert in the alerts tab (just wait 1 or 2 minutes)

Create APi token test

Now, switch to the Azure Portal and go to the Azure Sentinel section to confirm if the alert is visible

Azure Portal

And then, confirm that your Logic App has been triggered as excepted.

Logic App has been triggered as excepted

Go to the following GitHub to see many playbooks examples:

Found Nicolas’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!