-
Notifications
You must be signed in to change notification settings - Fork 3.1k
SOC Process Framework
If you are like me, you are probably excited with how fast Azure Sentinel has grown. This means more capabilities, functions and integrations to work with. So with all that power, how do I build a SOC and operationalize my Security Operations to keep up? At long last, there is a new Workbook to help you do just that... I have spent over a decade helping to build SOCs and together at Microsoft my team of GBB's, built a SOC Process Framework Workbook that combines SOC industry standards and best practices and applied them to Azure Sentinel.
Content | Link |
---|---|
Main SOC Process Framework Blog | https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315 |
SOC Process Framework Workbook | https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SOCProcessFramework.json |
Incident Overview Workbook, author Clive Watson for remediation and watchlist integration | https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/IncidentOverview.json |
Watchlist | https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv |
Get-SOCActions Playbook | https://github.com/rinure-msft/Azure-Sentinel/tree/master/Playbooks/Get-SOCActions |
Incident Remediation Readme | Blog: tbc |
In the [Incident Overview] Workbook, if an Alert has remediation entries, those will be shown (Basic view). Note: not all Alerts have this data. However you can provide your own set of Alerts mapped to the Alert "Title". This enhanced feature, uses a Watchlist which has an alias name of: SocRA (Advanced view). This new enhanced data is then shown in the Incident Overview workbook. This allows you to provide your own set of remediations if required, maybe adding extra steps that your SOC process requires?
You must download the Watchlist file called: SOCAnalystActionsByAlert.csv (https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv)
Name the Watchlist alias as:
Note: SocRA is case sensitive, you need an uppercase S, R and A. |
- Ingest Custom Logs via REST API