What’s New: Azure Sentinel – SOC Process Framework Workbook

It is recommended that you have a working instance of Azure Sentinel get the full benefit of the SOC Process Framework Workbook, but the workbook will deploy regardless of your available log sources. Follow the steps below to enable the workbook:

Requirements: Azure Sentinel Workspace and Security Reader rights.

1) From the Azure portal, navigate to Azure Sentinel.

2) Select Workbooks > Templates.

3) Search SOC Process Framework and select Save to add to My Workbooks.

NOTE: If the workbook is not yet available in your Azure Sentinel Workbook Templates, you can pull down a copy by going to my GitHub repo: https://github.com/rinure-msft/Azure-Sentinel/blob/master/Workbooks/SOCProcessFramework.json and simply open a New Workbook and paste in the Gallery Code.

If you need steps on manually deploying the workbook after copying the code from GitHub, I suggest following the instructions from this article that has them outlined: https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate.

There are 14 Processes and 36 Procedures broken into detail to help deliver a comprehensive start to operationalizing Azure Sentinel and applying a SOC methodology.

Working Example of SOC Process Framework Workbook

This workbook is built so that SOC practices can deploy this workbook and edit the following Parameters:

– [CUSTOMER] Simply replace with your customer SOC Name.

– Upload Diagrams and or Docs under the Technology sections.

– Make any necessary changes to fit the way your SOC operates and use this workbook as your Central SOC Operational Process and Procedures Knowledge Base.

This workbook has a TON of features (too many to mention) so go grab this workbook and find out how easy it is to build your SOC processes around Azure Sentinel, XDR, Azure Security Center, or any of our Security tools.

SOC Process Framework – Analytical Processes

There are a couple of other artifacts that are complimentary to this workbook that were uploaded recently! Here they are:

– Get-SOCActions Playbook – Azure-Sentinel/Playbooks/Get-SOCActions at master · rinure-msft/Azure-Sentinel (github.com)

– SocRA Watchlist –  https://github.com/rinure-msft/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv

The Get-SOCActions Playbook with “SocRA” Watchlist gives SOCs the ability to onboard SOC Actions for their Analysts to follow that snap to the SOC Process Framework Workbook. As they onboard Use-Cases and apply triage steps, this playbook can then be run to add those steps to the Incident for an Analyst to follow to closure.