TL;DR: This talk shares our journey building a custom SOAR-like solution for Microsoft Sentinel that 1) combines full-code flexibility with low-code simplicity, and 2) overcomes the limitations of Logic Apps in performance, maintainability, and debugging. Learn about architecture and design decisions, integrations, limitations and other lessons we learned when building our SOAR. Microsoft Sentinel offers a robust SIEM platform, but its automation capabilities are heavily reliant on Logic Apps, Azure’s low-code automation tool. While functional, Logic Apps present a lot of challenges, most notably in performance, maintainability, and debugging. This is especially true for more complex automation needs.
These limitations motivated us to develop a custom SOAR-like solution that combines the flexibility of low-code automation with the power and precision of full-code capabilities.
We built a solution designed to:
- Support both full-code and low-code automations.
- Operate modularly across diverse environments.
- Be extensible for custom integrations and enhancements.
- Address known limitations in Sentinel’s native automation.
- Run seamlessly within Azure.
In this talk, we share the architecture, implementation, and lessons learned from building this system. Key topics include:
- System architecture and design decisions.
- Integration with Sentinel data.
- UI and dashboarding for visibility.
- External and internal interfaces.
- Caching strategies.
- Error handling, traceability, and debugging.
By the end of this session, you will have actionable insights to build or enhance your own automation solutions on Microsoft Sentinel, avoiding common pitfalls and maximizing efficiency.
