Sentinel SOAR Essentials
Solution: SentinelSOARessentials
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com/ |
| Categories | domains |
| Version | 3.0.8 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-06-27 |
| Last Updated | 2026-03-11 |
| Solution Folder | SentinelSOARessentials |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (91%) |
The Microsoft Sentinel SOAR Essentials solution for Microsoft Sentinel contains Playbooks that can help you get started with basic notification and orchestration scenarios for common use cases. These include Playbooks for sending notifications over email and/or collaboration platforms such as MS Teams, Slack, etc.
Contents
Data Connectors
This solution does not include data connectors.
This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.
Tables Used
This solution queries 2 table(s) from its content items:
| Table | Used By Content |
|---|---|
AzureDiagnostics |
Workbooks |
SentinelHealth |
Workbooks |
Internal Tables
The following 2 table(s) are used internally by this solution's content items:
| Table | Used By Content |
|---|---|
SecurityAlert |
Playbooks |
SecurityIncident |
Playbooks, Workbooks |
Content Items
This solution includes 29 content item(s) (28 in solution, 1 discovered 🔍):
| Content Type | Total | In Solution | Discovered |
|---|---|---|---|
| Playbooks | 25 | 25 | - |
| Workbooks | 4 | 3 | 1 |
Workbooks
| Name | Tables Used |
|---|---|
| AutomationHealth | AzureDiagnosticsSentinelHealth |
| IncidentOverview ⚠️ | - |
| IncidentTasksWorkbook | Internal use:SecurityIncident |
| SecurityOperationsEfficiency | Internal use:SecurityIncident |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Create Incident From Microsoft Forms Response | This playbook will create a new Microsoft Sentinel incident when Microsoft Forms response is submitt... | - |
| Create Incident From Shared Mailbox | This playbook will create a new Microsoft Sentinel incident when new email arrives to shared mailbox... | - |
| HTTP Trigger Entity Analyzer | This playbook is triggered by HTTP POST requests with entity information and performs automated inve... | - |
| Incident Assignment Shifts | This playbook will assign an Incident to an owner based on the Shifts schedule in Microsoft Teams. W... | - |
| Incident Trigger Entity Analyzer | This playbook is triggered by Microsoft Sentinel incidents and performs automated investigation and ... | - |
| Incident tasks - Microsoft Defender XDR BEC Playbook for SecOps | This playbook add Incident Tasks based on Microsoft Defender XDR BEC Playbook for SecOps. This playb... | - |
| Incident tasks - Microsoft Defender XDR Phishing Playbook for SecOps | This playbook add Incident Tasks based on Microsoft Defender XDR Phishing Playbook for SecOps. This ... | - |
| Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOps | This playbook add Incident Tasks based on Microsoft Defender XDR Ransomware Playbook for SecOps. Thi... | - |
| Notify Incident Owner in Microsoft Teams | This playbook sends a Teams message to the new incident owner. | - |
| Notify When Incident Is Closed | This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when... | - |
| Notify When Incident Is Reopened | This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when... | - |
| Notify When Incident Severity Changed | This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when... | - |
| Post Message Slack | This playbook will post a message in a Slack channel when an alert is created in Microsoft Sentinel | - |
| Post Message Slack | This playbook will post a message in a Slack channel when an Incident is created in Microsoft Sentin... | - |
| Post Message Teams | This playbook will post a message in a Microsoft Teams channel when an Alert is created in Microsoft... | - |
| Post Message Teams | This playbook will post a message in a Microsoft Teams channel when an Incident is created in Micros... | - |
| Post-Message-Slack | Author: Yaniv Shasha | - |
| Post-Message-Teams | Author: Yaniv Shasha | - |
| Relate alerts to incident by IP | This playbook looks for other alerts with the same IP as the triggered incident. When such an alert ... | Internal use:SecurityAlert (read)SecurityIncident (read) |
| Send Teams Adaptive Card on incident creation | This playbook will send Microsoft Teams Adaptive Card on incident creation, with the option to chang... | - |
| Send basic email | This playbook will be sending email with basic incidents details (Incident title, severity, tactics,... | - |
| Send email with formatted incident report | This playbook will be sending email with formated incidents report (Incident title, severity, tactic... | - |
| Send incident Teams Adaptive Card with XDR Portal links | This playbook will send a Teams adaptive card with incident and entity information with all links po... | - |
| Send incident email with XDR Portal links | This playbook will send an email with incident and entity information with all links pointing to the... | - |
| URL Trigger Entity Analyzer | This playbook is triggered manually when a URL entity is selected in a Microsoft Sentinel incident a... | - |
⚠️ Items marked with ⚠️ are not listed in the Solution JSON file. They were discovered by scanning the solution folder and may be legacy items, under development, or excluded from the official solution package.
Release Notes
| Version | Date Modified (DD-MM-YYY) | Change History |
|---|---|---|
| 3.0.7 | 13-01-2026 | Removed the redundant IncidentOverview workbook from SentinelSOAREssentianls |
| 3.0.6 | 24-12-2025 | Added new playbooks for the incident alerting. |
| 3.0.5 | 11-12-2025 | Updated the lookback value to 7 days across all three Logic Apps and Renamed the Logic App title to "URL Trigger Entity Analyzer". |
| 3.0.4 | 17-11-2025 | Added new playbooks for the Sentinel SentinelSOARessentials solution. |
| 3.0.3 | 30-05-2025 | This upgrade focused on improving Playbook functionality, updating documentation, and refining deployment parameters. |
| 3.0.2 | 26-10-2023 | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR. |
| 3.0.1 | 11-08-2023 | Updated timeContextFromParameter with TimeRange in the Workbook template. |
| 3.0.0 | 17-07-2023 | Updated Workbook template to remove unused variables. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊