The modern SOC runs on Microsoft Teams

The modern SOC runs on Microsoft Teams

Over the past year, as working from home became the new normal, the role of digital collaboration in SOC processes grew for many organizations. With analysts no longer having the convenience of being able to walk over to the next office to collaborate on incidents, they instead find themselves connecting over chat, email, or video.

The soaring success of Microsoft Teams and the new challenges of remote work made Teams a tool of choice for many of our customers – which led Azure Sentinel to come up with Microsoft Teams collaboration.


What is it?

Azure Sentinel’s Microsoft Teams collaboration allows SOC teams to seamlessly work together on security incidents with colleagues and external stakeholders and uses a highly-integrated workflow on top of Microsoft Teams and Azure Sentinel.

With this new feature, Azure Sentinel now enables organizations to streamline responses to potential cyberattacks using a virtual “war room.” The war room helps to ensure that all stakeholders, inside and outside the SOC, are working as a team during what can be an extremely stressful time for any organization.

This new Microsoft Teams collaboration integration gives you:

  • The ability to create a highly integrated, incident-specific, Microsoft Teams team, with selected AAD groups automatically added.
  • The ability to “favorite” groups that you work closely with to shorten the team-creation process.
  • Multiple tabs automatically added to the team including Posts, Incident Page, OneNote, and Files. The Incident Page tab provides the latest incident data and enables convenient updates at any time.
  • Automatic archiving of the incident team when the incident is closed, and automatic restoration of the team if the incident is re-opened.


Where do I find it and how does it work?

In Azure Sentinel, in the Threat management > Incidents grid, select the incident you’re currently investigating.

Right-click on the incident or select the new Actions option at the bottom of the incident pane, and then select Create a team.

The New team pane opens on the right. Define the team name, description, and any groups you want to add to your war room. If you regularly work with the same teams, you may want to select the star button to save them as favorites. Favorites appear as the first groups suggested the next time that you create a war room.

Select your new Teams integration link to switch into Microsoft Teams, where all the data about your incident is listed on the Incident page tab. Continue the conversation about the investigation in Microsoft Teams for as long you need. You have the full incident details, always up to date, directly in Teams.

When you close an incident, the related team that you’ve created in Microsoft Teams is archived. If the incident is ever re-opened, that team is also re-opened so that you can continue your conversation right where you left off.

These are just a few highlights of the new Azure Sentinel – Microsoft Teams collaboration feature. For a full list of the functionalities and step-by-step instructions on how to use it, please refer to the documentation.

Get started today!

We encourage you to try using Teams Collaboration now and enjoy a seamless collaboration experience.

Try it out, and let us know what you think!

No Comments

Sorry, the comment form is closed at this time.