Automate Incident Mitigation in Azure Sentinel

B

To automate the mitigation of incidents in Azure Sentinel with minimal administrative effort, you should create a playbook.

A playbook is a collection of automated procedures that are triggered in response to a specific event or incident. Playbooks can automate the investigation and remediation of security threats, as well as the implementation of best practices and compliance requirements.

By creating a playbook, you can define a series of automated actions that should be taken when a particular incident or threat is detected. For example, a playbook can be configured to isolate an infected virtual machine, block an attacker's IP address, or notify a security administrator of a critical event.

In Azure Sentinel, playbooks can be created using the built-in Logic Apps Designer or using Azure Functions, which is a serverless compute service that allows you to run code in response to events.

Alert rules, function apps, and runbooks are all related to Azure Sentinel automation, but they serve different purposes:

• An alert rule defines the conditions that trigger an alert in Azure Sentinel, based on log data or other events. Once an alert is triggered, a playbook can be used to automate the investigation and remediation of the incident.

• A function app is a serverless compute service that allows you to run code in response to events or triggers. Function apps can be used to create custom connectors, integrate with external services, or extend the capabilities of Azure Sentinel.

• A runbook is a collection of PowerShell or Python scripts that automate the execution of tasks in Azure or other cloud services. Runbooks can be used to automate routine tasks such as resource provisioning, backup and recovery, or compliance checks.

Therefore, the correct answer to the question is B - a playbook.