Incident tasks - Microsoft Defender XDR Phishing Playbook for SecOps
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook add Incident Tasks based on Microsoft Defender XDR Phishing Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a phishing incident: containment, investigation, remediation and prevention. The step-by-step instructions will help you take the required remedial action to protect information and minimize further risks.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SentinelSOARessentials |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 0 |
microsoftsentinel |
Managed | 0 | 7 |
Action parameters (URLs, paths, function IDs)
microsoftsentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_task_to_incident_-_Contain | post | /Incidents/CreateTask |
— |
| Add_task_to_incident_-_Introduction | post | /Incidents/CreateTask |
— |
| Mark_a_task_as_completed_-_Introduction | post | /Incidents/CompleteTask |
— |
| Add_task_to_incident_-_Investigate | post | /Incidents/CreateTask |
— |
| Add_task_to_incident_-_Investigate_involved_users | post | /Incidents/CreateTask |
— |
| Add_task_to_incident_-_Prevent | post | /Incidents/CreateTask |
— |
| Add_task_to_incident_-_Remediate | post | /Incidents/CreateTask |
— |
Additional Documentation
📄 Source: Defender_XDR_Phishing_Playbook_for_SecOps-Tasks/readme.md
Defender_XDR_Phishing_Playbook_for_SecOps-Tasks
author: Benji Kovacevic
This playbook add Incident Tasks based on Microsoft Defender XDR Phishing Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a phishing incident: containment, investigation, remediation and prevention. The step-by-step instructions will help you take the required remedial action to protect information and minimize further risks.
Quick Deployment
Post-deployment
- Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
- Assign playbook to the automation rule. - https://learn.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC
Conditions
Incident provider > Equals > Microsoft Defender XDR
Playbook will run if the alert has any of these keywords:
1. Phish
2. ZAP
3. removed after delivery
4. URL click was detectedScreenshots
Playbook
Microsoft Sentinel Incident Tasks
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊