Recently, I joked about the potential for an analyst assistant for Azure Sentinel. The blog post “Is it Time for an Analyst Assistant for Azure Sentinel?” garnered a fair bit of attention. In fact, I was interested to find from that there’s already some efforts internally to build an assistant-type security knowledge AI for something else, but the blog post sparked some additional interest and confirmation.
Yes…interesting.
What an analyst’s assistant might look like in the future will probably be nothing like how I comically envisioned Cortana, Clippy, or Tay helping with Azure Sentinel investigations – but customer help and guidance is a very real direction for security technologies. I’ll actually be talking a bit about this during the fireside chat with Difenda this week. If that’s news to you or simply serves as a reminder, here’s the link to register to join in on the discussion on May 13th at 2pm EST: https://difenda.getresponsepages.com/
In the interim, though, I was reminded of an excellent Playbook that my friend Jordan Ross put together some time ago. Some may be new to Azure Sentinel and didn’t know that this existed. I use it all the time.
The Playbook takes remediation steps that are supplied from the connection to Sentinel from Microsoft Defender for Endpoint or Azure Defender, and injects them into the Comments section of the Azure Sentinel Incident. As shown in the image, this provides some very useful guidance for how to potentially react.

The Playbook is available from here: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Comment-RemediationSteps
More information about the Playbook is available in Jordan’s original blog post about it: Bring Remediation Steps into Azure Sentinel – Microsoft Tech Community
UPDATE: After writing and publishing this post, another awesome capability of Azure Sentinel has been released which is along the same vein of thought process around guidance. The SOC Process Framework Workbook has been released and is a fantastic resource. Get it today!
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.