Hello!
Been experimenting with bridging Microsoft Sentinel and Workato for automated incident response and wanted to share what we built might be useful for anyone thinking about SIEM/SOAR architecture in a mixed-tool environment.
Since there's no direct Sentinel-to-Workato connector, what worked for us was setting up a Sentinel Playbook (Logic App) as the trigger, which then fires a webhook into a Workato recipe. From there Workato handles the cross-system heavy lifting in our case creating a ServiceNow ticket, notifying the security team on Teams, and logging enriched details to a SharePoint list.
Honestly the hardest part was deciding what data to pass in the webhook payload you don't want to forward the full raw alert since it can contain sensitive user/device info. We ended up stripping it down to just the fields Workato actually needed to act on.
For anyone weighing up Sentinel Playbooks vs Workato, Playbooks make more sense if you're staying entirely within the Microsoft stack. But the moment you need to touch non-Microsoft systems, Workato wins easily on simplicity.
And, this whole idea actually came up while I was getting ready for the Microsoft Cybersecurity Architect Expert certification and working through SC-100 exam questions and answers on CertBoosters website and one of the SIEM/SOAR scenarios just clicked. Went from reading about it in an exam context to actually building it out, which was a great way to reinforce the concepts!
Happy to share more about the recipe structure if anyone's interested!
