How to Create an Azure Sentinel SOC Alerting System

The Azure Sentinel Hackathon has my creative juices in full swing.

For my first feat, I talked earlier this week about How to Build an Alexa Skill to Report Critical Azure Sentinel Incidents Generated Overnight. I’m still working on deeper integration for Alexa and Azure Sentinel, but as is the case, I keep having squirrel moments and get distracted with other cool stuff.

On Thursday, my LIFX lightbulb arrived, for which there’s a Logic App connector.

The LIFX Color bulb

While the wife was away, I repurposed one of her lamps and installed it on my desk.

All clear!

I spent the next bit of time getting the lightbulb installed and working to create a simple Azure Sentinel Playbook that integrates the light source as an alerting system for incoming Incidents. And, really, the time I’ve spent so far is minimal. Getting this up and running with something simple was far too easy.

Here’s my time commitment so far:

  1. Time to order the LIFX from Amazon = 10 seconds or less
  2. Time to wait for the LIFX to arrive = 2 days
  3. Time to find a lamp I could abscond with = 30 minutes
  4. Time to install the lightbulb, install the LIFX app, and configure it on my network = 10 minutes
  5. Time to write the Playbook and the Automation Rule = 15 minutes

So, as you can see, it took longer to find a lamp I could use than to generate the actual integration. I’m still waiting for the wife to notice one of her lamps is missing.

So, here’s the simple thing I’ve come up with already.

I created a simple 2 step Playbook:

  1. I chose the Creation Rule trigger because I want this to run against all Analytics Rules and report if a High severity Incident gets generated.
  2. I chose to turn the light on and flash Red 10 times.
Alert Playbook

Next, I created my Automation Rule. Again, its pretty simple. The rule looks at all Analytics Rules and if an alert is generated for a High Severity Incident, the Automation Rule runs my newly created, 2-step Playbook.

Automation Rule

And, the result? When a High Severity Incident gets created, the light flashes red 10 times.

I’ve also created a Playbook and subsequent Automation Rule to flash the bulb orange when a Medium severity Incident gets generated. In my environment, these are more frequent, so imagine my surprise sitting here during the day and the light starts flashing orange while I’m talking to a customer. Proof that it works, but its still and unexpected event.

I’m already digging deeper into this and report back as I complete new ideas, but here’s some of the other ideas I’m currently working on:

  1. Have the light turn on each morning with a color gradient indicating the status of the SOC. i.e., are there critical Incidents? Turn red. Are there only Medium incidents? Turn yellow. All clear? Turn green.
  2. As the SOC team works during the day to close-out Incidents, the bulb slowly changes from red to green.
  3. Use Alexa to query the Azure Sentinel SOC to get a color indicator of workload.
  4. Build out a calculation to get a “SOC Score” and communicate it through color.

But, really the potential here are endless thanks to our automation capabilities in Azure Sentinel. Hopefully, this has given you some incentive to start building out your own creations for the Azure Sentinel Hackathon.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]