Skip to content

Maximizing Cybersecurity with SOAR in Microsoft Sentinel: An overview

Discover how Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel can streamline your cybersecurity operations. This guide unpacks the core components of SOAR, illustrating their significance through analogies, and explores how they integrate seamlessly within Microsoft Sentinel.

What is SOAR?

SOAR is the short term for Security Orchestration, Automation and Response to boost your cybersecurity defense. Let us break down each component:

Orchestration – The Symphony Orchestra

Picture an orchestra playing music with different instruments. The conductor of the orchestra ensures that all musicians play in harmony. For this he makes sure that they are starting and stopping at the right moments and adjusts the tempo as needed. If you reflect this to cybersecurity and Microsoft Sentinel, the orchestration is like the conductor. It coordinates various security tools (the musicians in our example) to work together seamlessly. Furthermore, it integrates responses from various security tools to efficiently manage cyber threats.

Example: Connecting Microsoft products (Entra ID, Microsoft Defender XDR, …) and third-party solutions (firewalls, endpoint protection) in one solution.

Automation – The Self-Driving Car

Autonomous cars are getting more real, so consider such a self-driving car that navigates through traffic. It must adjust speed and respond to road conditions without any intervention from the human. To get this job done the car uses sensors and algorithms to make decisions and perform tasks automatically. So, automation in cybersecurity context refers to nearly the same. You can configure automation rules to respond automatically to cyber threats and to handle repetitive tasks.

Example: Automatically isolate a compromised device.

Response – The Emergency Services

If emergency services (firefighters, paramedics, police) get a call there is always a structured and practiced procedure that must be fulfilled when the call is received. Roles are clearly defined; resources are dispatched, and actions are taken swiftly to address the situation. In cybersecurity, response is the set of actions taken to manage and mitigate a security incident. So, when a threat is detected a well-defined response plan is activated involving specific steps and measures to isolate and neutralize the threat.

Example: Instantly blocking malicious IP addresses following a confirmed security breach.

Why Do I Need SOAR?

I explained the single parts of SOAR and you may ask yourself how they are working together in Microsoft Sentinel. To get a better understanding let us use another example. Imagine a threat is detected. Sentinel orchestrates the flow of information between connected systems and tools. This is used to assess and prioritize the alert. It then automatically triggers the appropriate playbook(s) to respond to the alert. This will execute a series of predefined response actions.

Every day we read about a new threat, compromised accounts and breaches. That is not surprising because the illegal market booms to sell accounts or access. Furthermore, in the world of AI the “bad guys” also make use of this to get an advantage. To keep pace, we must focus on the right incidents and get rid of manual tasks and unnecessary incidents that do not give us any information on ongoing attacks. In the dynamic landscape of cybersecurity threats, the integration of SOAR within Microsoft Sentinel provides an initiative-taking stance against attacks. By orchestrating information flow, prioritizing alerts, and automating response actions, Sentinel empowers teams to focus on critical incidents, reducing the noise of false positives and the burden of manual tasks.

Isn’t Sentinel Just a SIEM?

While Microsoft Sentinel is renowned for its SIEM capabilities, it transcends this classification by incorporating SOAR functionalities. This integration means Sentinel not only identifies and logs threats but also actively engages in their remediation, offering a comprehensive security solution without the need for additional tools.

Getting Started with Microsoft Sentinel

What are you waiting for? Open your dev environment and let’s test it out.

Dive into Sentinel by setting up your environment and exploring its capabilities. For detailed setup instructions, refer to First steps setting up Microsoft Sentinel

After you set this up and have at least one connector configured, we will check that Sentinel can execute Logic Apps.

To get this working the service account “Azure Security Insights” needs the “Microsoft Sentinel Playbook Operator” role. To get an overview of all roles take a look at this article: Roles and permissions in Microsoft Sentinel.

Interesting for us is the following part:

To check and set the permission open Microsoft Sentinel in Azure Portal. After this navigate to “Settings” and “Settings”:

Scroll down to “Playbook permissions” and click on “Configure permissions”:

On the right side of the window, you see “Manage permissions”. Click on “Current permissions” and check if you have set it already:

If it is set to the wrong resource group (RG), just delete it. To set it for a resource group, click on “Browse”, choose your resource group, mark the check box, and click on “Apply”. I used RG where my log analytic workspace is for Sentinel.

After you clicked on “Apply” the service principal “Azure Security Insights” is added to the RG with “Microsoft Sentinel Automation Contributor” rights:

Congratulations, you are ready to deploy your first automation.

Your First Automation

Kickstart your automation journey with a simple project to manage false positives using Sentinel’s Content Hub templates. This practical exercise will familiarize you with creating playbooks and customizing them to your environment’s needs, significantly reducing manual oversight by filtering out benign activities. Navigate to the Content hub, search for “Watchlists Utilities”, choose it and click on “Install”:

After installation is done navigate to “Automation” in Microsoft Sentinel and click on “Playbook templates (Preview)”:

Navigate to playbook templates in Sentinel

If you have installed multiple solutions on Content hub the list can be longer.

Choose “Add IP To Watchlist – Incident Trigger” and click on “Create playbook”:

In the upcoming wizard choose the resource group where you set the permission, adjust the playbook name if you want and click on “Next”:

Set a watchlist alias you want to use to identify the watchlist later and click on “Next”:

Since we have actually no managed identity, we can only skip this page and set this later in the designer:

Review your settings and click on “Create playbook”:

Afterwards we are getting into “Logic app designer” where we have to set the correct connections:

We need to allow the playbook to write/create the watchlist. Click on “Identity” and “Azure role assignments”:

Click on “Add role assignment (Preview)”:

Choose as scope “Resource group”, the correct RG and as role “Microsoft Sentinel Contributor”:

Then click “Save”.

To execute this manually navigate to Microsoft Sentinel incidents, choose one where an entity with an IP address is existing and click on “Actions”:

Choose “Run playbook (Preview)”:

Click on “Run”:

If the run was successful, you see a new watchlist. Click in Sentinel on “Watchlist” and look out for the watchlist:

Click on the watchlist and on the right side of the screen choose “View in logs”:

You will get redirected to “Logs” and the query will be executed automatically. If you see no entry, wait at least 5 minutes:

Furthermore, we can check the Logic App “Run History”. Go to your Logic App, click on “Run History”, and choose your run. It can be “Succeeded” or “Failed”. If it “Failed”, then click on the failed one and review the values in the designer:

Choose one of the runs and you can see all information for every step in your Logic App:

So, what are you doing now? You can alter your analytic rules to exclude the items found in the watchlist. With this false-positive incidents can be lowered.


Embarking on automation within Microsoft Sentinel is a strategic move towards a more resilient cybersecurity framework. Starting small and gradually expanding your automation scope can significantly enhance incident management and operational efficiency. Microsoft’s continuous enhancements in Sentinel’s features support a robust defense mechanism for your enterprise.

Stay connected for more insights and updates. For questions or recommendations, feel free to reach out on LinkedIn, X(Twitter) or leave a comment 😊.

Published inAzureSecuritySentinel

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *