11: SOAR Flashcards
(18 cards)
What is SOAR in Microsoft Sentinel?
Security Orchestration, Automation, and Response. It allows automated response to alerts and incidents using playbooks.
What is a playbook in Sentinel?
A workflow built in Azure Logic Apps that automates actions like sending notifications, enriching data, or responding to threats.
What can trigger a playbook in Sentinel?
Alerts, incidents, or manual actions by analysts.
What kinds of actions can playbooks perform?
Notify teams, enrich with threat intel, create tickets, isolate machines, disable users, or call APIs—anything you can build in Logic Apps.
Do I need to know how to code to build a playbook?
No. Logic Apps are low-code with a drag-and-drop interface, and many templates are available.
Where can I find prebuilt playbooks?
In the Content Hub or directly under Automation in Sentinel. Many solutions also include playbooks.
Why is SOAR valuable to security teams?
It reduces manual, repetitive tasks—freeing up analysts for high-value work and speeding up response time.
What is the difference between SOAR and SIEM?
SIEM (Sentinel) collects, detects, and visualizes. SOAR (via playbooks) responds and automates.
What is the Automation Rules tab in Sentinel?
It’s where you define when and how playbooks run—based on conditions like incident severity, title, or tags.
Can you chain multiple actions in one playbook?
Yes. Playbooks can have conditional logic, loops, and multiple sequential or parallel actions.
Can playbooks integrate with third-party tools?
Yes. Logic Apps support connectors for ServiceNow, Teams, Slack, VirusTotal, CrowdStrike, etc.
What is an example use case for automation?
When a high-severity alert fires, a playbook enriches it with IP reputation, notifies the SOC, and opens a ticket.
Can playbooks run on alerts and incidents?
Yes, but they require different triggers: alert-triggered and incident-triggered playbooks have different templates.
What happens if a playbook fails?
You can view the run history in Logic Apps and troubleshoot with detailed error messages.
Can I edit a playbook after creating it?
Yes. You can modify, disable, clone, or delete any playbook at any time.
Can I test a playbook before using it in production?
Yes. You can manually trigger it from an incident or use test data in Logic Apps to simulate a run.
Are there any costs associated with playbooks?
Yes. Logic Apps runs are billed separately, but usually low cost unless heavily used.
How do I control when playbooks run?
Use Automation Rules to set conditions (e.g., run only on high-severity incidents with a specific tag).
