You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Instructions/Labs/LAB_AK_08_Lab1_Ex01_Playbook_Defender.md
+28-34Lines changed: 28 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,12 @@
1
1
---
2
2
lab:
3
-
title: Exercise 2 - Create a Playbook
4
-
module: Learning Path 8 - Create detections and perform investigations using Microsoft Sentinel
5
-
description: You have now created a playbook and an automation rule in Microsoft Sentinel.
6
-
duration: 30 minutes
7
-
level: 200
8
-
islab: true
9
-
primarytopics:
3
+
title: Exercise 1 - Create a Playbook
4
+
module: Learning Path 8 - Create detections and perform investigations using Microsoft Sentinel
5
+
description: You have now created a playbook and an automation rule in Microsoft Sentinel.
6
+
duration: 30 minutes
7
+
level: 200
8
+
islab: true
9
+
primarytopics:
10
10
- Microsoft Sentinel
11
11
---
12
12
@@ -24,13 +24,11 @@ With a playbook, you can help automate and orchestrate your threat response, int
24
24
25
25
In this task, you create a Logic App that is used as a Playbook in Microsoft Sentinel.
26
26
27
-
>**Note:** Microsoft Sentinel has been predeployed and onboarded to Microsoft Defender XDR with the name **sentinelworkspace-01**, and the required *Content Hub* solutions have been installed.
27
+
>**Note:** Microsoft Sentinel has been predeployed and onboarded to Microsoft Defender XDR with the name **Sentinelworkspace-01**, and the required *Content hub* solutions have been installed.
28
28
29
-
1.Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**.
29
+
1.Sign in to **WIN1** virtual machine as Admin using the provided credentials.
30
30
31
-
1. Open the Microsoft Edge browser.
32
-
33
-
1. In the Edge browser, navigate to Defender XDR at `https://security.microsoft.com`.
31
+
1. Open **Microsoft Edge** browser and navigate to **Microsoft Defender XDR** at `https://security.microsoft.com`.
34
32
35
33
1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**.
36
34
@@ -40,29 +38,25 @@ In this task, you create a Logic App that is used as a Playbook in Microsoft Sen
40
38
41
39
1. In the Microsoft Defender navigation menu, scroll down and expand the **Microsoft Sentinel** section.
42
40
43
-
1. Expand the *Content management* section and select **Content Hub**.
44
-
45
-
1. Within the search bar, look for **Sentinel SOAR Essentials**.
41
+
1. Expand the **Content management** section and select **Content hub**.
46
42
47
-
1.Select the solution that appears in the results.
43
+
1.In the search box, type **Sentinel SOAR Essentials**.
48
44
49
-
1.Within the solution details, select **Manage**.
45
+
1.From the results, select the **Sentinel SOAR Essentials**solution and then select **Manage**.
50
46
51
-
1. Find the **Defender_XDR_Ransomware_Playbook_for_SecOps-Tasks** playbook and select the name.
47
+
1. Find the **Defender_XDR_Ransomware_Playbook_for_SecOps-Tasks** playbook and then select the playbook name.
52
48
53
49
1. Select the **Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOps** template.
54
50
55
51
1. On the details pane, select **Create playbook**.
56
52
57
-
1. For Resource Group, select **SentinelStatic** and select OK.
58
-
59
-
1. Remove **for** and the extra *underscores* from the playbook name (would exceed limit of 64 characters). It should read **Defender_XDR_Ransomware_Playbook_SecOps_Tasks**.
53
+
1. For Resource Group, select **SentinelStatic** and then select **OK**.
60
54
61
-
1.Select **Connections**.
55
+
1.Edit the playbook name to remove *for* and the extra *underscores* (would exceed limit of 64 characters). It should read **Defender_XDR_Ransomware_Playbook_SecOps_Tasks**.
62
56
63
-
1. Select **Next: Review and create**.
57
+
1. Select **Next: Connections >** and review the default options.
64
58
65
-
1.Now select **Create Playbook**.
59
+
1.Select **Next: Review and create**, review the details, and then select **Create playbook**.
66
60
67
61
>**Note:** Wait for the deployment to finish before proceeding to the next task.
68
62
@@ -74,25 +68,25 @@ In this task, you update the new playbook you created with the proper connection
74
68
75
69
1. When the previous task completes you should be in the *Defender_XDR_Ransomware_Playbook_SecOps-Tasks | Logic app designer* page. If you aren't, complete steps 2-7 below.
76
70
77
-
1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
71
+
1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
78
72
79
73
1. Select your Microsoft Sentinel Workspace.
80
74
81
-
1. Select Automation under the Configuration area and then select the *Active Playbooks* tab.
75
+
1. Select **Automation** under the **Configuration** area and then select the **Active Playbooks** tab.
82
76
83
-
1. Select Refresh from the command bar in case you don’t see any playbooks. You should see the playbook created from the previous step.
77
+
1. Select **Refresh** from the command bar if you do not see any playbooks. The playbook created in the previous step should be displayed.
84
78
85
79
1. Select the **Defender_XDR_Ransomware_Playbook_SecOps_Tasks** playbook name link.
86
80
87
-
1. On the Logic app designer page for **Defender_XDR_Ransomware_Playbook_SecOps_Tasks**, in the command menu, select Edit.
81
+
1. On the **Logic app designer** page for **Defender_XDR_Ransomware_Playbook_SecOps_Tasks**, in the command menu, select **Edit**.
88
82
89
83
>**Note:** You may need to refresh the page.
90
84
91
-
1. Select the first block, Microsoft Sentinel incident.
85
+
1. Select the first block labeled **Microsoft Sentinel incident**.
92
86
93
-
1. Select the **Change connection*** link.
87
+
1. Select the **Change connection** link.
94
88
95
-
1. Select **Add new** and select **Sign in**. In the new window, select your Azure subscription admin credentials when prompted. The last line of the block should now read “Connected to your-Student-username”.
89
+
1. Select **Add new** and select **Sign in**. In the new window, select your Azure subscription admin credentials when prompted. The last line of the block should now read "Connected to your-Student-username".
96
90
97
91
<!--- 1. Below within the logic split (+ sign), select Add an action to incident.--->
98
92
@@ -106,11 +100,11 @@ In this task, you update the new playbook you created with the proper connection
106
100
107
101
1. Select **+ Create** and choose **Automation Rule**.
108
102
109
-
1. Give the rule a name
103
+
1. Give the rule a name.
110
104
111
105
1. Leave the *Trigger* as **When an incident is created**.
112
106
113
-
1. Select **+ Add** and choose *Condition (And)*.
107
+
1. Select **+ Add** and choose **Condition (And)**.
114
108
115
109
1. From the drop-down, select **Tactics**.
116
110
@@ -134,7 +128,7 @@ In this task, you update the new playbook you created with the proper connection
134
128
135
129
1. Select **Apply** at the bottom.
136
130
137
-
1. Select the **X**on the *Create new automation rule* window to close it.
131
+
> **Note:**The **Create new automation rule** window closes automatically after the rule is created. If the window does not close, select the **X** to close it.
138
132
139
133
You have now created a playbook and an automation rule in Microsoft Sentinel.
0 commit comments