Forum Discussion
Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered
MicrosoftPrashTechTalk : I am not aware that the private preview does not work. That said, the feature will be supported as part of a larger motion to enhance Sentinel automation, called automatoin rules, which is entering private preview as we speak.
Do these logic apps/playbooks still need to be attached to every single analytics rule?
I'd like to create a 'global' playbook to add contextual information to every incident.
eg. apply MITRE SHIELD information to every incident's comment section.
I'm not eager to go to all 300 analytic rules and assign a playbook.
SocInABox If you are using the Incident trigger in a playbook, you can use the Automation rules feature of Azure Sentinel to have that playbook automatically run for any incident that gets created.
https://docs.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules
Thanks Gary, but I'm not sure you're saying a 'global' playbook is possible?
You're saying I still have to assign my playbook to each individual analytic rules automation but it will be auto triggered if an incident is fired for that rule.Or are you saying there's a 'global' feature I don't understand?
- AndrewBlumhardt
SocInABox The Sentinel logic app triggers for incidents and alerts do not monitor Sentinel for new alerts (though that is understandable assumption). Rather those triggers configure the Logic App to be triggered or called by Sentinel. The logic app is waiting to be called.
Alert-based triggers are linked to specific scheduled analytic rules and can be run manually from an incident (scroll to the far right on the alerts list inside an incident). This option is limited to alerts generated by the scheduled rule-type.
Incident-based triggers are called by the new Automation rules. These can be setup to response to any rule-type (any specific rule or all rules). For a global trigger, create a logic app with an incident trigger and create an automation rule to call the Playbook for all rules.
