Forum Discussion
Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered
Thanks Gary, but I'm not sure you're saying a 'global' playbook is possible?
You're saying I still have to assign my playbook to each individual analytic rules automation but it will be auto triggered if an incident is fired for that rule.
Or are you saying there's a 'global' feature I don't understand?
MicrosoftSocInABox The Sentinel logic app triggers for incidents and alerts do not monitor Sentinel for new alerts (though that is understandable assumption). Rather those triggers configure the Logic App to be triggered or called by Sentinel. The logic app is waiting to be called.
Alert-based triggers are linked to specific scheduled analytic rules and can be run manually from an incident (scroll to the far right on the alerts list inside an incident). This option is limited to alerts generated by the scheduled rule-type.
Incident-based triggers are called by the new Automation rules. These can be setup to response to any rule-type (any specific rule or all rules). For a global trigger, create a logic app with an incident trigger and create an automation rule to call the Playbook for all rules.
Andrew, thanks, this is getting me closer to my answer!
So my new question is: how to create an automation rule to trigger on all incidents.
eg. is this a Sentinel rule that:1. queries for all incidents
2. apply automation to call the playbook
3. extract the incident ID
4. process playbook logic as needed.
Or do you mean something else by 'create an automation rule to call the playbook for all rules'?
Once I understand what you mean by this I should be on my way.
Is there an example of this somewhere?
It seems to me it's a 1 or 2 step process but I don't quite get it yet.- AndrewBlumhardtI would start by creating a logic app with just a Sentinel incident trigger. Save the app so it can be linked in Sentinel. In the Automation blade create an Automation rule. This will default to "Rule name contains all". Add a Playbook action calling your new logic app.
There are some additional steps to grant Sentinel access to trigger logic apps. This adds the Sentinel Automation role to the resource group of your workspace. Look in settings for setup UI and instructions.
Now your logic app will start being triggered by every new incident. Now you have a good mechanism to start adding activities and testing the logic app. Using "run trigger" doesn't work with triggers that require input.
Beyond that I recommend importing some sample Logic Apps from the Sentinel repo for comparison. That initial trigger may not bring in all of the data you want/need. You can run secondary activities from the Sentinel connector. It is not uncommon to see a Sentinel trigger followed by a Sentinel activity; like Get an entity, or Get Incident. Sometimes those activities pull additional information or present it in a more useful way. There is also a Azure Monitor connector that can read data from the workspace directly.- THANK YOU ANDREW (and everyone)!!! I think I get it now. Great explanation.
Funny thing is I'm quite fluent with many of the Github playbooks but I've never used this automation feature from within the playboks - I've successfully imported/fixed over 30 of them in my Azure lab.
If you have any recommended training with playbooks specific to Sentinel I'd be interested.
Clearly my self-learning on this topic contains some gaps.