Microsoft Sentinel – Automation Examples
Last Updated: 07/01/2025
Microsoft Sentinel provides us with a strong platform that allows us to capture security logs, detect suspicious activities and gives us the capability to investigate and respond. One of the key features of Microsoft Sentinel is the ability to respond to security incidents with automated actions. This post will detail a few automation examples and the areas they impact.
Microsoft Sentinel leverages Azure Logic Apps in the form of playbooks to provide automation. This automation capability allows us to do many things, given the versatility of Azure Logic Apps.
What can we use automation for?
One of the main questions I always get asked is, what can we use automation for? I have broken down automation into 3 key areas:
- Administration – Basic repeatable tasks within Microsoft Sentinel. Such as tagging and forwarding alerts to other systems.
- Enrichment – Automating the repeatable tasks of an analyst. Speeding up investigation time.
- Action – Taking an initial action, usually to contain a potential threat quickly.
As we work our way down, the potential negative impact becomes more so. As an example, If we end up with false positives this may trigger an automation to isolate a user’s device. This has the potential to have an adverse impact. That’s not to say we shouldn’t do this, but rigorous testing is key and having a tuned set of analytical rules is a must.
Administration
These types of activities are typically the tasks that maintains Microsoft Sentinel. Activities like tagging incidents and assigning them to users is a quick win. Additionally, depending on how your security team functions, being able to notify the correct individuals of an incident is key. For example, forwarding high severity alerts to your service desk or Teams/Slack channel.
A couple of Automation examples of admin-based tasks would be:
- Tagging Incidents
- Auto Assign to user or group
- Notify users manager of security incident
- Email, Teams & Slack notifications
- Forwarding & Syncing alerts with a Service Desk (ITSM) tool
- Generate Incident from email/HTTP
Enrichment
Enrichment should focus on having the correct and valuable information ready for an analyst to investigate. Automating repetitive tasks during an incident can save precious time, which in an investigation is vital. A few automation examples are:
- Add user job title/department/office location to incident
- Adding previous incident details (I.e. Incidents for the same user in the same month)
- Adding device information & associated open vulnerabilities into the incident details
- Check entities against external TI sources (I.e. Check file hash against Virus Total)
- Get geolocation of IP entities and add to incident comments
- Check email entities against HaveIBeenPwned
Action
This area of automation focuses on taking an action, usually to contain a threat. These types of automation can be crucial for containing threats out of hours and in rapid time.
These types of action typically require a change to happen in your environment (i.e. Changing ACLs, configuration of resources etc.). Rigorous testing should be part of implementing this type of automation as it has the potential to disrupt business functions. A few automation examples of this type would be:
- Isolating endpoints
- Blocking Entra ID accounts
- Revoking user session tokens
- Blocking entities in Defender for Endpoint
- Adding blocked IP addresses to Conditional Access
- Isolating Azure based resources (NSG changes)
- Updating an ACL on a Firewall
Considerations
Whilst there is a lot of out of the box content to get you started with Playbooks and automation, there are of course a few things to consider and keep in mind:
- Define your Objective (and stick to it) – Automation can easily become complex, and as you start automation you may come up with different ideas. Its important to clearly set out your objective before you start.
- Automation is great when it works – Automation is based on logic and flow, if there is an issue with the flow or the trigger (i.e. The rule) then automation will have an adverse effect. Testing is crucial and introducing automation at the right time is key.
- Don’t forget maintenance, monitoring and improvements – As with most resources, monitoring and maintenance is key. Understanding and knowing when an automation has failed is crucial. Not to mention that things always change and require updating and improving.
Summary
Hopefully the above gives a reasonable idea of what is possible with automation. There are so many things that can be automated, and it can be a bit of a rabbit hole. A lot of the examples above are available as out of the box Playbooks within Microsoft Sentinel, whilst others can be found in community GitHub repos.
Thank you for reading, please check out my previous post on migrating Microsoft Sentinel between subscriptions.