Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOps

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook add Incident Tasks based on Microsoft Defender XDR Ransomware Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a ransomware incident: containment, investigation, eradication and recovery, and prevention. The step-by-step instructions will help you take the required remedial action to protect information and minimize further risks.

Attribute	Value
Type	Playbook
Solution	SentinelSOARessentials
Source	View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	0
`microsoftsentinel`	Managed	0	27

Action parameters (URLs, paths, function IDs)

`microsoftsentinel` (Managed)

Action	Method	Endpoint	Other
Add_task_to_incident_-Containment-_Step_1	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Containment-_Step_2	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Containment-_Step_3.1	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Containment-_Step_3.2	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S1-_Verify_your_backups	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S2-_Add_indicators	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S3-_Reset_compromised_users	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S4-_Isolate_attacker_control	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S5-_Remove_the_malware	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S6-_Recover_files_on_a_clean	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S7-_Recover_files_in_OneDrive	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S8-_Recover_deleted_email	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Eradication_and_recovery-S9-_Re-enable_Exchange_Act	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-_HumOR	post	`/Incidents/CreateTask`	—
Mark_a_task_as_completed_-_HumOR	post	`/Incidents/CompleteTask`	—
Add_task_to_incident_-_Introduction	post	`/Incidents/CreateTask`	—
Mark_a_task_as_completed_-_Introduction	post	`/Incidents/CompleteTask`	—
Add_task_to_incident_-Investigate-Identify_the_line_of_business(LOB)_apps	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Investigation-_Assess_the_current_situation	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Investigation-_Identify_the_ransomware_process	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Investigation-Look_for_exposed_credentials	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Prevention-Device_protection-_Part_1	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Prevention-Device_protection-_Part_2	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Prevention-_Email_management	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Prevention-_Identity_protection	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Prevention-_Information_protection	post	`/Incidents/CreateTask`	—
Add_task_to_incident_-Prevention-_Vulnerability_management	post	`/Incidents/CreateTask`	—

Additional Documentation

📄 Source: Defender_XDR_Ransomware_Playbook_for_SecOps-Tasks/readme.md

Defender_XDR_Ransomware_Playbook_for_SecOps-Tasks

author: Benji Kovacevic

Quick Deployment

Post-deployment

Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
Assign playbook to the automation rule. - https://learn.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC
Conditions
Incident provider > Equals > Microsoft Defender XDR