Forum Discussion

Copper Contributor

Aug 12, 2020

Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered

Hi i am attempting to use the trigger "When Azure Sentinel incident creation rule was triggered" that's in preview. but the playbook is not triggered even if i know that i have a new inciden...

Brass Contributor

Jan 11, 2021

When can we expect this working. Even the private previews doesn't work. Microsoft failed in delivering this again ?

Ofer_Shezaf
Microsoft
Jan 11, 2021
PrashTechTalk : I am not aware that the private preview does not work. That said, the feature will be supported as part of a larger motion to enhance Sentinel automation, called automatoin rules, which is entering private preview as we speak.
- SocInABox
  Iron Contributor
  Oct 13, 2021
  Hi everyone,
  Do these logic apps/playbooks still need to be attached to every single analytics rule?
  I'd like to create a 'global' playbook to add contextual information to every incident.
  eg. apply MITRE SHIELD information to every incident's comment section.
  I'm not eager to go to all 300 analytic rules and assign a playbook.
  - GaryBushey
    Bronze Contributor
    Oct 13, 2021
    SocInABox If you are using the Incident trigger in a playbook, you can use the Automation rules feature of Azure Sentinel to have that playbook automatically run for any incident that gets created.
    
    https://docs.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules
- PrashTechTalk
  Brass Contributor
  Jan 11, 2021
  Ofer_Shezaf - Playbook is not listed at the automated response section of the analytics rule (when in edit). Tenant is registered for private preview but sadly none of the playbook using new trigger displays in the automated response list.

Resources