hands-on lab

Automating Threat Response using Sentinel Playbooks

Up to 1h 30m
This lab is currently under maintenance and unavailable. We are actively working to resolve this issue and we apologize for any inconvenience.

This lab has been outdated.

Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
Lab description

Azure Sentinel (Microsoft Sentinel) is a cloud-based SIEM (security information event management) solution that offers advanced intelligence tools across the organizations to secure the cloud and on-premises resources. The core offering of the Azure Sentinel revolves around collecting data at scale while detecting the threat in real-time using artificial intelligence to hunt the suspicious activities, ultimately performing actions to either remediate based on the preconfigured actions or provide a response plan to the security teams in an organization.

Playbooks in the Sentinel offers automated remediation and proactive action tools to handle many incidents on autopilot. The playbook uses the Azure Logic App designer to build the workflow for automated response actions. The playbooks can run manually or be triggered automatically for specific analytic rules to resolve known issues without involving the security team in manually investigating every incident. Microsoft also offers templates for various industry-wide used actions to get you up and running without creating the playbooks from scratch.

In this hands-on lab, you will understand how to configure automated responses to security incidents in Sentinel using Playbooks.

Learning Objectives

Upon completion of this intermediate-level lab, you will be able to:

  • Use Data Connector rules to collect Windows VM Security Events
  • Create Playbook for automated response to Sentinel incidents
  • Create Analytics Rule to trigger Playbook for remediation upon active alert detection

Intended Audience

  • Candidates for Azure Security Engineer (AZ-500)
  • Cloud Architects
  • Data Engineers
  • DevOps Engineers
  • Software Engineers


Familiarity with the following will be beneficial but is not required:

  • Azure Storage Account
  • Azure Logic App
  • Azure Log Analytics
  • Azure Sentinel

The following content can be used to fulfill the prerequisite:

Environment before

Environment after

About the author
Learning paths

Parveen is an Azure advocate with previous experience in the professional consulting services industries. He specializes in infrastructure and DevOps with a wide range of knowledge in security and access management. He is also an Azure Certified - DevOps Engineer Expert, Security Engineer, Developer Associate, Administrator Associate, CompTIA Certified - Network+, Security+, and AWS Cloud Practitioner.
Parveen enjoys writing about cloud technologies and sharing the knowledge with the community to help students upskill in the cloud.

Covered topics
Lab steps
Logging in to the Microsoft Azure Portal
Preparing Azure Sentinel for Incident Response
Creating Sentinel Playbook to Trigger Alert
Simulating Password Brute-Force Attack on the Azure VM
Creating Analytics Rule that Trigger Playbook for Automated Incident Response
Investigating Automated Trigger Playbook Runs