Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Sentinel provides a wide variety of playbooks and connectors for security orchestration, automation, and response (SOAR), so that you can readily integrate Microsoft Sentinel with any product or service in your environment.
The integrations listed below may include some or all of the following components:
| Component type | Purpose | Use case and linked instructions |
|---|---|---|
| Playbook templates | Automated workflow | Use playbook templates to deploy ready-made playbooks for responding to threats automatically. Automate threat response with playbooks in Microsoft Sentinel |
| Azure Logic Apps managed connector | Building blocks for creating playbooks | Playbooks use managed connectors to communicate with hundreds of both Microsoft and non-Microsoft services. List of Logic Apps connectors and their documentation |
| Azure Logic Apps custom connector | Building blocks for creating playbooks | You may want to communicate with services that aren't available as prebuilt connectors. Custom connectors address this need by allowing you to create (and even share) a connector and define its own triggers and actions. |
You can find SOAR integrations and their components in the following places:
- Microsoft Sentinel solutions
- Microsoft Sentinel Automation blade, playbook templates tab
- Logic Apps designer (for managed Logic Apps connectors)
- Microsoft Sentinel GitHub repository
Tip
- Many SOAR integrations can be deployed as part of a Microsoft Sentinel solution, together with related data connectors, analytics rules and workbooks. For more information, see the Microsoft Sentinel solutions catalog.
- More integrations are provided by the Microsoft Sentinel community and can be found in the GitHub repository.
- If you have a product or service that isn't listed or currently supported, please submit a Feature Request.
You can also create your own, using the following tools:- Logic Apps custom connector
- Azure functions
- Logic Apps HTTP calls
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Cisco FirePower | Custom Logic Apps connector Playbooks |
Community | Block IPs and URLs |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Big-IP | Playbooks | Community | Block IPs and URLs |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Resilient | Custom Logic Apps connector Playbooks |
Community | Sync incidents |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| InsightVM Cloud API | Custom Logic Apps connector Playbooks |
Microsoft | Enrich incident with asset info, Enrich vulnerability info, Run VM scan |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Azure DevOps | Managed Logic Apps connector Playbooks |
Microsoft Community |
Sync incidents |
| Azure Firewall (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Block IPs |
| Microsoft Entra ID | Managed Logic Apps connector Playbooks |
Microsoft Community |
Users enrichment, Users remediation |
| Azure Data Explorer | Managed Logic Apps connector | Microsoft | Query and investigate |
| Azure Log Analytics Data Collector | Managed Logic Apps connector | Microsoft Community |
Query and investigate |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Palo Alto PAN-OS (Available as solution) |
Custom Logic Apps connector Playbooks |
Community | Block IPs and URLs |
| Wildfire | Custom Logic Apps connector Playbooks |
Community | Filehash enrichment and response |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Qualys VM (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Get asset details, Get asset by CVEID, Get asset by Open port, Launch VM scan |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Recorded Future Intelligence | Managed Logic Apps connector Playbooks |
Recorded Future | Entities enrichment |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| ServiceNow | Managed Logic Apps connector Playbooks |
Microsoft Community |
Sync incidents |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| URLhaus (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Check host and enrich incident, Check hash and enrich incident, Check URL and enrich incident |
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Zscaler | Playbooks | Microsoft | URL remediation, incident enrichment |
In this document, you learned about Microsoft Sentinel SOAR content.
- Learn more about Microsoft Sentinel Solutions.
- Find and deploy Microsoft Sentinel Solutions.