Microsoft Sentinel Adds Preview of Incident Tasks Feature
A preview of a Microsoft Sentinel "Incident Tasks" feature was announced on Tuesday by Microsoft.
Incident Tasks provides a standardized approach for security operations center (SOC) personnel as they address security issues. It lets "senior managers or SOC managers" set up automation rules for security incident workflows or they can set up "playbooks" to specify what needs to get done.
After the automation rules and playbooks are specified, other SOC personnel will get a dashboard view of the tasks that need completion. It's also possible for these SOC personnel to add their own tasks to the list, if needed, which will stay specific to an incident.
SOCs typically would set up automation rules for "plain, static tasks that don't require interactivity." A playbook, on the other hand, would be used by SOCs for more complex tasks, such as "the creation of tasks based on conditions."
Microsoft outlined the distinction between using automation rules vs. playbooks in this document. How IT personnel with various SOC roles might use the Incident Tasks feature is described here.
The Incident Tasks feature is conceived as providing a "case management" solution for SOCs that doesn't require them to seek out other tools besides Microsoft Sentinel.
"We are pleased to continue introducing case management capabilities that help your team handle the full incident lifecycle and workflows in a unified SIEM and SOAR platform, allowing analysts to stay in context and reduce the need to pivot to external systems," the announcement indicated regarding the Incident Tasks feature.
Microsoft claims that Incident Tasks in Microsoft Sentinel will help SOCs or managed security service providers meet service-level agreements or carry out standard operating procedures. It helps with incident response documentation, plus it's useful when training new security analysts.
"Your SOC analysts can use a single central checklist to handle the processes of incident triage, investigation, and response, all without worrying about missing a critical step," the announcement stated.
All of the Incident Tasks capabilities appear to be at the preview stage. They include a new "incident tasks panel," which gives analysts a view of the tasks yet to be completed. There's also an "add task" capability, which is used to set up automation rules for incidents. Lastly, the playbooks capability of Incident Tasks lets managers "integrate task creation and completion in complex conditional workflows that integrate with external tools."
Those three features in the Incident Tasks preview were described as "a first set of features." Microsoft is planning to add more to Incident Tasks "as this feature evolves."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.