Automate your SOC – Known Badness

Threat Intelligence Module This post builds upon your initial installation and provides a deeper understanding of each of the modules (log apps) that make up MSTAT. See the links below for earlier posts to build your knowledge on the capabilities of each module. You can also find all related posts by searching this blog. The … Continue reading Automate your SOC – Known Badness →

Automate your SOC – Rise of the machine (risk)

Microsoft Defender for Endpoint We’re back with another edition of Automate your SOC with Microsoft STAT. Today we’re going to discuss the Microsoft Defender for Endpoint module (MDEModule). This module can retrieve a few pieces of information that can enrich your incident. The module can return the risk level and exposure level from MDE from … Continue reading Automate your SOC – Rise of the machine (risk) →

Automate your SOC – Is there anything else going on?

Microsoft Sentinel Related Alerts This post builds upon your initial installation and provides a deeper understanding of each of the modules (log apps) that make up MSTAT. See the links below for earlier posts. You can also find all related posts by searching this blog. The Related Alerts module takes the incident entity data and … Continue reading Automate your SOC – Is there anything else going on? →

Automate your SOC – Oh, that user again?

Adding user risk to your STAT playbook Now that you’ve got your first playbook set up, let’s talk about what each module does. We’re going to start with the Azure AD Risks module. This module retrieves several pieces of information to help enrich your incident. The risk level for the users in the incident as … Continue reading Automate your SOC – Oh, that user again? →

Automate your SOC – Risky Business

Giving your incidents a risk score So, you’ve installed STAT using the deployment ARM template? Yes, ok let’s go. If not, see our tutorial on getting it installed here. Let’s start by navigating to your Logic Apps blade in the Azure portal. Here you will see that STAT installed fifteen logic apps. We will go … Continue reading Automate your SOC – Risky Business →

Automate your SOC – Noise is the enemy of speed

As you can imagine, Microsoft has a massive security footprint. We’ve published previously that we get more than 20 billion cybersecurity events per day. That is an incredible number and you can imagine how difficult it must be to sort through all that data to find real threats. You may not have that many events, … Continue reading Automate your SOC – Noise is the enemy of speed →

Automate your SOC – Let’s talk about STAT, baby

Let's talk about SIEM and me...let's talk about all the good things Last week, we talked about automating your SOC with the Microsoft Sentinel Triage Assistant (STAT). So this week, we thought it would be a good idea to talk about how to get STAT deployed in your Sentinel environment. Remember that STAT consists of … Continue reading Automate your SOC – Let’s talk about STAT, baby →

Let’s automate your SOC

Intro to Microsoft Sentinel Triage Assistant (STAT) We wanted to jump right in to help you automate your security operations by introducing the Microsoft Sentinel Triage Assistant or STAT for short. STAT is built on a series of Azure Logic Apps which can be integrated into Microsoft Sentinel, Azure Active Directory, and the 365 Defender … Continue reading Let’s automate your SOC →

Welcome to…

Welcome to the SOCAutomator's blog. Mike and I are here to talk about the importance of automation in incident response. We'll talk about the theory of automation as well as practical examples of how you can apply automation to your environment. Your first question might be "Why should I automate?" There are many answers to … Continue reading Welcome to… →