SOC Process Framework
Solution: SOC-Process-Framework
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.0 |
| Author | Rin Ure - rin.ure@microsoft.com |
| First Published | 2022-04-08 |
| Solution Folder | SOC-Process-Framework |
| Marketplace | Azure Marketplace · Rating: ★★★★★ 5.0/5 (1 ratings) · Popularity: 🟡 Low (28%) |
The Get-SOCActions Playbook with SocRA Watchlist gives SOCs the ability to onboard SOC Actions for their Analysts to follow that snap to the SOC Process Framework Workbook.
Contents
Data Connectors
This solution does not include data connectors.
This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.
Tables Used
This solution queries 1 table(s) from its content items:
| Table | Used By Content |
|---|---|
Usage |
Workbooks |
Internal Tables
The following 1 table(s) are used internally by this solution's content items:
| Table | Used By Content |
|---|---|
SecurityIncident |
Workbooks |
Content Items
This solution includes 20 content item(s):
| Content Type | Count |
|---|---|
| Watchlists | 12 |
| Workbooks | 7 |
| Playbooks | 1 |
Workbooks
| Name | Tables Used |
|---|---|
| Building_a_SOCLargeStaff | - |
| Building_a_SOCMediumStaff | - |
| Building_a_SOCPartTimeStaff | - |
| Building_a_SOCSmallStaff | - |
| SOCIRPlanning | - |
| SOCProcessFramework | UsageInternal use: SecurityIncident |
| UpdateSOCMaturityScore | - |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Get-SOC-Actions | This playbook uses the SOC Recommended Actions Watchlist to automatically enrich incidents generated... | - |
Watchlists
| Name | Description | Tables Used |
|---|---|---|
| SOCDepartmental | - | - |
| SOCEmailDistribution | - | - |
| SOCExternalContacts | - | - |
| SOCIRP | - | - |
| SOCInternalContacts | - | - |
| SOCMA | - | - |
| SOCPager | - | - |
| SOCUseCase | - | - |
| SOCcontacts | - | - |
| SOCgeneralIT | - | - |
| SOCworkstations | - | - |
| SocRA | - | - |
Additional Documentation
📄 Source: SOC-Process-Framework/README.md
Author: Rin Ure
Table of Contents
Overview
This Solution contains all resources for the SOC Process Framework Microsoft Sentinel Solution. The SOC Process Framework Solution is built in order to easily integrate with Microsoft Sentinel and build a standard SOC Process and Procedure Framework within your Organization.
By deploying this solution, you'll be able to monitor progress within your SOC Operations and update the SOC CMMI Assessment Score. This solution consists of the following resources: - Integrated workbooks interconnected into a single workbook for single pane of glass operation. - One Playbook for pushing SOC Actions to your Incidents. - Multiple Watchlists helping you maintain and organize your SOC efforts, including IR Planning, SOC CMMI Assessment Score, and many more.
Workbooks
The workbooks contained in this solution have visualizations about the SOC Progress, Procedures, and Activity and provides an overview of the overall SOC Maturity. These workbooks and their dependances are deployed for you through this solution.
Watchlists
The watchlists contained within this solution have information that pertain to Incident Response Planning, the SOC Maturity (CMMI) Scoring, Recommended SOC Actions, and more... All of these watchlists give the customer ease of access to updating pertanant information regarding their SOC Operations and more.
Playbooks
Currently the only Playbook in this solution is the Get-SOCActions Playbook for delivering custom Analyst Actions to take per Incident. This allows Organizations the ability to create/add their own scripted actions they want an Analyst to take. After deploying this Solution, please see the Post-Deployment Instructions before running the Playbook.
Post-Deployment Instructions
1. After deploying the playbook, you must authorize the connections leveraged and assign permissions
- Visit the playbook resource.
- Under "Development Tools" (located on the left), click "API Connections".
- Ensure each connection has been authorized.
2. Assign Microsoft Sentinel Responder Role to Playbook
This playbook uses a managed identity, which must have the Microsoft Sentinel Responder role assigned in the Sentinel instances to enable adding actions.
- Select the Playbook resource.
- In the left menu, click Identity.
- Under Permissions, click Azure role assignments.
- Click Add role assignment (Preview).
[Content truncated...]
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.2 | 10-07-2025 | Updates to the playbook description, prerequisites, and post-deployment instructions, as well as adjustments to variable naming conventions for consistency . |
| 3.0.1 | 24-07-2023 | Update Table markdown from " : " to " - " in SOCProcessFramework Workbook . |
| 3.0.0 | 12-07-2023 | Correction of Logo in the solution. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊