Create and perform incident tasks in Microsoft Sentinel using playbooks

  • Article
  • Applies to:
    Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal

This article explains how to use playbooks to create, and optionally perform, incident tasks to manage complex analyst workflow processes in Microsoft Sentinel.

Use the Add task action in a playbook, in the Microsoft Sentinel connector, to automatically add a task to the incident that triggered the playbook.

Tip

Incident tasks can be created automatically not only by playbooks, but also by automation rules, and also manually, ad-hoc, from within an incident.

For more information, see Use tasks to manage incidents in Microsoft Sentinel.

Prerequisites

  • The Microsoft Sentinel Responder role is required to view and edit incidents, which is necessary to add, view, and edit tasks.

  • The Logic Apps Contributor role is required to create and edit playbooks.

For more information, see Microsoft Sentinel playbook prerequisites.

Use a playbook to add a task and perform it

This section provides a sample procedure for adding a playbook action that does the following:

  • Adds a task to the incident, resetting a compromised user's password
  • Adds another playbook action to send a signal to Microsoft Entra ID Protection (AADIP) to actually reset the password
  • Adds a final playbook action to mark the task in the incident complete.

To add and configure these actions, take the following steps:

  1. From the Microsoft Sentinel connector, add the Add task to incident action and then:

    1. Select the Incident ARM ID dynamic content item for the Incident ARM id field.

    2. Enter Reset user password as the Title.

    3. Add an optional description.

    For example:

    Screenshot shows playbook actions to add a task to reset a user's password.

  2. Add the Entities - Get Accounts (Preview) action. Add the Entities dynamic content item (from the Microsoft Sentinel incident schema) to the Entities list field. For example:

    Screenshot shows playbook actions to get the account entities in the incident.

  3. Add a For each loop from the Control actions library. Add the Accounts dynamic content item from the Entities - Get Accounts output to the Select an output from previous steps field. For example:

    Screenshot shows how to add a for-each loop action to a playbook in order to perform an action on each discovered account.

  4. Inside the For each loop, select Add an action. Then:

    1. Search for and select the Microsoft Entra ID Protection connector
    2. Select the Confirm a risky user as compromised (Preview) action.
    3. Add the Accounts Microsoft Entra user ID dynamic content item to the userIds Item - 1 field.

    This action sets in motion processes inside Microsoft Entra ID Protection to reset the user's password.

    Screenshot shows sending entities to AADIP to confirm compromise.

    Note

    The Accounts Microsoft Entra user ID field is one way to identify a user in AADIP. It might not necessarily be the best way in every scenario, but is brought here just as an example.

    For assistance, consult other playbooks that handle compromised users, or the Microsoft Entra ID Protection documentation.

  5. Add the Mark a task as completed action from the Microsoft Sentinel connector and add the Incident task ID dynamic content item to the Task ARM id field. For example:

    Screenshot shows how to add a playbook action to mark an incident task complete.

Related content

For more information, see: