Building Microsoft Sentinel Incident Tasks Recipes

Today, we announced a new feature in public preview called Incident Tasks. Incident Tasks allow organizations to develop a recorded encyclopedia of methods they commonly use to approach specific events in their environment. This enables the security teams to work better and more efficiently and allows all levels of security expertise on the team to investigate without missing a critical step.

The feature on its own is awesome but coupled with additional guidance around the specific steps to take in the various scenarios it becomes even more valuable. On one hand, something like the SOC Process Framework solution or Microsoft’s Incident Response Playbooks can provide a lot of that guidance, but even with those security teams will need to build out the approach and process for each specific scenario to investigate and develop the tasks. And, then beyond the Microsoft guidance, every environment is different and may need to approach situations differently based on a number of factors.

So, I put up a GitHub repository today to get started to collaborate on ideas around additional guidance. I put up an example of my own that I’m building out around PowerShell and Cloud Shell execution. Take a look.

The repo is for Microsoft Sentinel Incident Tasks Recipes. If you find it useful, let me know. If you’d like to fork the repo and collaborate, that would be hugely appreciated.

Microsoft Sentinel Incident Tasks Recipes:


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]


Leave a Reply