7.6 Automation Rules and Logic Apps Playbooks

SOAR: Automation Rules and Playbooks

The SOAR half of Microsoft Sentinel is delivered through two related features: automation rules and playbooks. A playbook is a workflow built on Azure Logic Apps that performs response actions automatically — for example, blocking or disabling a user, isolating a device via Defender for Endpoint, posting to a Microsoft Teams or Slack channel, opening a ServiceNow ticket, or emailing an analyst for approval. Because playbooks are Logic Apps, they can connect to hundreds of connectors across Microsoft and third-party systems, which is what makes SOAR responses cross-product.

An automation rule is the orchestration and triage layer. It lets you centrally define how incidents are handled — automatically assigning an owner, setting severity or status, tagging, suppressing noise, or running one or more playbooks — and it triggers on incident or alert events. Automation rules also give you a single place to manage and order automation, instead of attaching logic to each rule individually.

Response automation is not the first step in the Sentinel chain. The order is: connectors ingest data, analytics rules (or hunting) detect, incidents organize the investigation, and then automation rules and playbooks coordinate the response. A scenario that wants "a repeatable action to run whenever a specific incident is created" is squarely an automation rule plus playbook answer.

UEBA, Threat Intelligence, and the SOAR Trap

Two more Sentinel capabilities round out the platform. User and Entity Behavior Analytics (UEBA) baselines normal behavior for users and entities (hosts, IPs, apps) and surfaces anomalies — for example, a user suddenly accessing resources at an unusual hour or from a new location — assigning risk to help analysts prioritize. Threat intelligence (TI) brings in indicators of compromise (malicious IPs, domains, file hashes) from Microsoft and third-party feeds via the TI connector (often TAXII/STIX), so analytics rules can match ingested data against known-bad indicators.

Both are detection enrichments inside the same Sentinel platform; neither is a separate product.

The most common SOAR trap is choosing a Defender product for a Sentinel automation scenario, or confusing a Sentinel playbook with a study "playbook" or exam-day checklist. In this chapter a playbook is strictly an automated security response workflow on Logic Apps. Defender products protect specific surfaces (endpoints, email, identity, apps); Sentinel orchestrates response across the whole SOC and can drive Defender actions through playbook connectors.

Use this response checklist:

• SIEM wording (collect, analyze, detect) -> Sentinel detection side.
• SOAR wording (orchestrate, automate, respond) -> automation rules and playbooks.
• "Logic Apps workflow that responds to an incident" -> playbook.
• "Centrally triage and route incidents, run playbooks" -> automation rule.
• "Baseline behavior and flag anomalous users" -> UEBA.
• "Match activity against known malicious indicators" -> threat intelligence.
• Compliance wording (labels, retention, eDiscovery) -> Microsoft Purview, not Sentinel.

For SC-900 you will not design a Logic App. Know that playbooks (Logic Apps) and automation rules deliver Sentinel's SOAR, that UEBA and threat intelligence enrich detection, and that when a question combines threat detection, incidents, and automated response across many sources, Microsoft Sentinel is the single best product match.

Why SOAR Matters and How the Pieces Fit Together

Security teams are flooded with alerts, and many response steps are repetitive: enrich an incident with extra context, notify the right people, open a ticket, and contain an obvious threat. m. In Sentinel, the division of labor is clear. Automation rules decide what should happen and to which incidents — they are the policy and triage layer that can run immediately when an incident is created or updated. Playbooks are the hands — Logic Apps workflows that carry out the concrete actions an automation rule (or an analyst) invokes.

Because playbooks are Azure Logic Apps, they tap a large library of connectors. A single playbook might call Microsoft Entra to disable a user, call Microsoft Defender for Endpoint to isolate a device, post a summary to Microsoft Teams, and create a ticket in ServiceNow — all in one orchestrated flow. Playbooks can run fully automatically or pause for human approval before taking a sensitive action, which is a common real-world pattern the exam may allude to.

UEBA and threat intelligence sit on the detection side of this picture, sharpening the signals that ultimately drive incidents and automation: UEBA finds anomalies by comparing behavior to a learned baseline, and threat intelligence flags activity that matches known-bad indicators. For SC-900, the durable lesson is the see-detect-respond chain across one platform: Sentinel sees data through connectors, detects with analytics, UEBA, and threat intelligence, organizes investigation through incidents and hunting, visualizes with workbooks, and responds through automation rules and Logic Apps playbooks.

A scenario that spans detection and automated, cross-product response is the clearest possible cue for Microsoft Sentinel.