Forum Discussion
Difference between native automation rules and analytic rule automation rules?
Hi, I'm a student who is researching the SOAR part of Microsoft Sentinel.
When researching about automation rules I've come across automation rules who are triggered by incident. These come from analytics rule(s).
But when you can create an analytics rule, it is possible to create automation rules in the specific analytic rule. It is not possible to select already made automation rules. Why the difference? It would be beneficial to allow certain known usable automation rules to be run.
Following on this question. More globally, are all automation rules evaluated by every incident? Is there a way to limit this?
Greeting Herber
Student MCT
Herber62 For the first part of your question, why can't we select automation rules within an Analytic rule, it is basically a design decision. You can always ask for this to be added via the User Voice site: Microsoft Sentinel · Community (azure.com)
For the second question, you can easily select which Analytic rules the Automation rule works against. When adding/editing an Automation rule, in the "Conditions" section, is a dropdown list called "If Analytic rule name" and the default values are "Contains" and "All". If you click on the "All" you will see it lists all the rules you have and you can selected one or more. Then the automation rule will only trigger when one of the selected Analytic rules creates and incident. You can also use this feature to take care of your first question.
- GaryBushey
Thanks for the response. I'll be submitting this feature for later implementations.
On the second answer, I didn't think it really through. But it is indeed the answer I was looking for.
Thanks allot!!
Cheers
