Using Tasks in Sentinel and Creating Automation

Available in preview through the CCP program a few months ago and now available to all users (GA), the Tasks feature in Sentinel is an important and expected feature ( Use tasks to manage incidents in Microsoft Sentinel | Microsoft Learn ).

Why it is an important resource

The commenting feature had already been introduced in the sentinel some time ago, but it did not allow control of what needed to be done in a sequence and served each operator or analyst to report what was done or discovered.

The tasks feature allows analysts and SOC operators to indicate a sequence, well-defined steps and are clearly identified.

The screen below demonstrates how simple and useful this is. 

See that I already have a standard task via automation that I will cover later, but I have already created an example task and adding tasks is simple, allowing editing with bullets or numbered lists.

Tasks cannot be assigned to third parties, as the analyst responsible for triage will direct the incident to another operator or specialist analyst who will lead the investigation.

Automating Tasks

In the example I used, see that the first task was created by automation that includes the name of the person responsible and creates a basic task just as an example.

This is done in Sentinel under Automations with all incidents that are generated in my demo environment:

My automation flow includes a task that was previously seen in the incidents interface. I can create as many tasks as I need with the “Add action” button below and thus always leave incidents with the basic list of actions for an incident.

Typical question: But each incident has standardized tasks, for example DLP validating the content and owner of the information according to the ABC policy and so on.

Answer: In my example I do not use filters, but you can use the “Analytic rule name” condition to indicate which types of incidents the automation flow will apply to and thus include specific tasks for a given incident. In my environment I have a standard automation that is the one above and another automation for specific analytical rules such as IOC indicators where I insert tasks when that incident happens.

Conclusion

With this resource it is now possible to have a clear indication of how to handle the incident in an organized way and visually validate the steps already taken and what is pending. 

This will help a lot in resolving and monitoring incidents, especially those that take a considerable amount of time or have a series of concomitant tasks throughout the analysis.