Once you have used STAT to triage your incident and make a decision on the remediation actions you want to take, you may notice that STAT does not include any remediation actions. This is because many common remediation action Playbooks have already been built in the Sentinel Github repo. Since STAT is encouraging reusable automation, it didn't make sense at this time to incorporate remediation directly into STAT. However, that doesn't mean they can't work together.
Let's say you want to use the Confirm-AADRiskyUser playbook on an incident that STAT has triaged as a high risk. How can I run this playbook?
There's actually 3 common ways to accomplish this:
- Run Playbook Module
- Run Playbook API
- Incident Tags and Automation Rules or
The easiest way to perform an automated remediation playbook based on a STAT triage is to use the Run Playbook STAT Module. This module allows for you to initiate another automation Playbook using an incident trigger on the incident you are triaging. More information on calling this module can be found here.
Microsoft Sentinel has an API endpoint that allows for the running of a playbook on an incident. In this approach, you would use that API endpoint to trigger the Confirm-AADRiskUser playbook
Incidents - Run Playbook API Documentation
The Run Playbook Module uses this API, but simplifies the inputs and authentication needed to call it.
In this approach, you will configure the STAT playbook to tag the incident where you want to run the playbook, and an automation rule to execute the playbook if the Tag is present.
- In your STAT triage playbook add a Sentinel\Update Incident action to the part of your playbook where a high risk has been determined
- In that Update incident action, set a tag on the incident such as 'ConfirmRiskyUser'
- Create a new automation rule that runs after (higher Order #) the STAT triage Playbook which runs the Confirm-AADRiskyUser Playbook
- Set a Condition on the automation rule for Tag Contains 'ConfirmRiskyUser'
With this configuration the STAT playbook will run first, determine if a the remediation action is needed, and then only if the tag has been added will the remeidation action take place.