Sentinel Alert to Autonomous Action: Controlled AI Response Framework

Microsoft Events presents a practical guide to AI-driven, controlled responses in Microsoft Sentinel, featuring Blink micro agents and workflow automation tools for security teams.

Sentinel Alert to Autonomous Action: Controlled AI Response Framework

Learn how to accelerate incident response in Microsoft Sentinel with an AI-powered automation framework presented at Microsoft Ignite.

Key Topics

• Blink Platform Capabilities: Demonstration of Builder Copilot and Analyst Copilot for building and managing security automation.
• Workflow Editor: Tips on using Blink’s integrated tools to design reusable workflows.
• Alert Verification: How Sentinel sends alerts to Microsoft Teams and how AI agents verify responses.
• AI Agents vs LLMs: Exploring the differences between Large Language Models and specialized AI agents for security operations.
• Agent Responsibilities: Using AI agents to investigate Sentinel alerts, including hands-on KQL query examples for advanced threat hunting.
• Controlled Automation: Frameworks for fast, safe, and environment-specific security remediation.

Workflow Highlights

• Automate workflow creation and response steps with Builder Copilot
• Use Analyst Copilot for investigation and validation
• Integrate alert messaging with Microsoft Teams
• Configure custom micro agents to trigger, investigate, and resolve incidents

Further Resources

• Blink Security Agents Guide
• Microsoft Ignite Sessions

Presenter

Joshua Weinick shares insights for intermediate/advanced security practitioners.

Conclusion

Expand automation capabilities in Sentinel beyond simple alerting to full-lifecycle, AI-driven incident workflows.