Hi i am attempting to use the trigger "When Azure Sentinel incident creation rule was triggered" that's in preview. but the playbook is not triggered even if i know that i have a new incident in Sentinel what's missing from the configuration?

erlendoyen : Join our Private Previews program

erlendoyen Go to Analytics and click the alert rule that you want to get alerted on and edit it. The rule type has to be scheduled for you to be able to trigger the playbook. Go to automated response type and select the playbook/logic app that you created and save it. It's kind of confusing but you will have to do it for every alert rule and it doesn't do it for every rule automatically as the logic app suggests.

erlendoyen If you have a Microsoft NDA, you can sign up for our preview program at www.aka.ms/SecurityPrP

I would start by creating a logic app with just a Sentinel incident trigger. Save the app so it can be linked in Sentinel. In the Automation blade create an Automation rule. This will default to "Rule name contains all". Add a Playbook action calling your new logic app.There are some additional steps to grant Sentinel access to trigger logic apps. This adds the Sentinel Automation role to the resource group of your workspace. Look in settings for setup UI and instructions.Now your logic app will start being triggered by every new incident. Now you have a good mechanism to start adding activities and testing the logic app. Using "run trigger" doesn't work with triggers that require input. Beyond that I recommend importing some sample Logic Apps from the Sentinel repo for comparison. That initial trigger may not bring in all of the data you want/need. You can run secondary activities from the Sentinel connector. It is not uncommon to see a Sentinel trigger followed by a Sentinel activity; like Get an entity, or Get Incident. Sometimes those activities pull additional information or present it in a more useful way. There is also a Azure Monitor connector that can read data from the workspace directly.

Don't forget to check the rest of your Logic App to make sure you were not using dynamic data from either the trigger or action you deleted. Not saying why I know to do this 😉

Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered

ruchita21
Microsoft
Mar 12, 2021
What is the GA date for this feature in logic apps? Is there anybody who is aware of this?
- Thijs Lecomte
  Bronze Contributor
  Mar 12, 2021
  It was announced at Ignite it would turn public preview soon
  https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-ignite-2021-what-s-new-in-azure-sentinel/ba-p/2175225
  No news has been out when it will become available in our subscriptions
  - Ofer_Shezaf
    Microsoft
    Mar 17, 2021
    Started rolling out gradually to public preview today. Should be 100% rolled out in two weeks.
PrashTechTalk
Brass Contributor
Jan 11, 2021
When can we expect this working. Even the private previews doesn't work. Microsoft failed in delivering this again ?
- Ofer_Shezaf
  Microsoft
  Jan 11, 2021
  PrashTechTalk : I am not aware that the private preview does not work. That said, the feature will be supported as part of a larger motion to enhance Sentinel automation, called automatoin rules, which is entering private preview as we speak.
  - SocInABox
    Iron Contributor
    Oct 13, 2021
    Hi everyone,
    Do these logic apps/playbooks still need to be attached to every single analytics rule?
    I'd like to create a 'global' playbook to add contextual information to every incident.
    eg. apply MITRE SHIELD information to every incident's comment section.
    I'm not eager to go to all 300 analytic rules and assign a playbook.
AndrewBlumhardt
Microsoft
Oct 19, 2020
erlendoyen

Private previews tend to move pretty fast with Sentinel. Worth the wait on the new activity.

If you need something sooner you can schedule a query against the incidents table using the "Run query and list results" activity. https://azurecloudai.blog/2020/09/23/sentinel-email-notification-logic-app/
blankachu
Copper Contributor
Aug 19, 2020
erlendoyen Go to Analytics and click the alert rule that you want to get alerted on and edit it. The rule type has to be scheduled for you to be able to trigger the playbook. Go to automated response type and select the playbook/logic app that you created and save it.
It's kind of confusing but you will have to do it for every alert rule and it doesn't do it for every rule automatically as the logic app suggests.
GaryBushey
Bronze Contributor
Aug 12, 2020
erlendoyen You are probably not going to get much help here as, like you said, the feature is in private preview and we are unable to discuss it. There should be some email addresses in the preview documents that you can use to ask for assistance.
- erlendoyen
  Copper Contributor
  Aug 12, 2020
  Hm, I have not applied for a private priview so I assumed it's public preview now?
  - GaryBushey
    Bronze Contributor
    Aug 12, 2020
    erlendoyen I think what is happening is the Incident trigger is showing up when creating Playbooks but you still need to be part of the private preview to use it. I am trying to get verification of this and if I am wrong I will let you know.

Forum Discussion

Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered

Share

Resources