Sign In

SA1.12 Module Summary

5 hours · Module 1 · Free

What You Built in This Module

This module moved from framework to implementation. You now have working automation deployed in your Sentinel workspace.

Four automation rules handle triage acceleration (severity override, assignment routing, FP auto-close) and playbook triggering. These rules require no code, deploy in minutes, and provide immediate value by normalising incident priority and routing.

Your first enrichment playbook transforms raw incidents into investigation-ready packages. The playbook extracts account entities, queries the user’s sign-in history, adds formatted enrichment data as an incident comment, and posts a summary to the SOC Teams channel. This is Tier 1 automation — zero blast radius, 30-second execution, and immediate analyst value.

Managed identity authentication connects the playbook to Microsoft APIs without storing credentials. The identity has least-privilege permissions: Sentinel Responder for incident manipulation, Log Analytics Reader for KQL queries. Third-party API keys are stored in Key Vault, never in the playbook definition.

Entity extraction reliably pulls Account, IP, and Host entities from incidents — with defensive patterns that handle missing entities gracefully instead of failing.

Error handling prevents silent failures through Scope-based error groups, retry policies, and incident comments that document partial enrichment when individual queries fail.

Monitoring detects playbook failures within one hour through a KQL analytics rule against Logic App diagnostic logs. The health monitoring ensures you know when automation stops working — before the analysts discover it.

Cost management quantifies the automation investment: approximately £4-60/month in Logic App execution costs versus £50,000-70,000/year for an additional analyst. The ROI is 75x or higher.

What Comes Next

SA2 expands the single enrichment query from this module into a comprehensive enrichment pipeline: IP reputation, user risk, device compliance, TI correlation, alert history, and geo-location — all running in parallel, all completing in under 30 seconds. The foundation you built here — the trigger, the entity extraction, the incident comment, the Teams notification — becomes the scaffold for every subsequent playbook.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← SA1.11 Interactive Lab: Build Your First Playbook SA1.13 Check My Knowledge →