-
Notifications
You must be signed in to change notification settings - Fork 3.1k
SOC Process Framework
| Content | Link |
|---|---|
| Blog | https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315 |
| SOC Process Framework Workbook | https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SOCProcessFramework.json |
| Incident Overview Workbook | https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/IncidentOverview.json |
| Watchlist | https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv |
| Incident Remediation Readme | Blog: tbc |
In the [Incident Overview] Workbook, if an Alert has remediation entries, those will be shown (Basic view). Note: not all Alerts have this data. However you can provide your own set of Alerts mapped to the Alert "Title". This enhanced feature, uses a Watchlist which has an alias name of: SocRA (Advanced view). This new enhanced data is then shown in the Incident Overview workbook. This allows you to provide your own set of remediations if required, maybe adding extra steps that your SOC process requires?
You must download the Watchlist file called: SOCAnalystActionsByAlert.csv (https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv)
Name the Watchlist alias as:
Note: SocRA is case sensitive, you need an uppercase S, R and A. |
- Ingest Custom Logs via REST API