Forum Discussion

erlendoyen's avatar
erlendoyen
Copper Contributor
Aug 12, 2020

Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered

Hi   i am attempting to use the trigger "When Azure Sentinel incident creation rule was triggered"  that's in preview.   but the playbook is not triggered even if i know that i have a new inciden...
SocInABox's avatar
SocInABox
Iron Contributor
Oct 13, 2021
THANK YOU ANDREW (and everyone)!!! I think I get it now. Great explanation.

Funny thing is I'm quite fluent with many of the Github playbooks but I've never used this automation feature from within the playboks - I've successfully imported/fixed over 30 of them in my Azure lab.

If you have any recommended training with playbooks specific to Sentinel I'd be interested.
Clearly my self-learning on this topic contains some gaps.
AndrewBlumhardt's avatar
AndrewBlumhardt
Icon for Microsoft rankMicrosoft
Oct 13, 2021
I haven't seen any specific training on Logic Apps for Sentinel. As you have seen, every connector/activity has its quirks. The Automation Rules are new and most of the GitHub examples are using the alerts trigger. Logic Apps are all about trial and error.

Check out the run after feature if this is new...super cool.

Run After: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-exception-handling#customize-run-after-behavior
Logic Apps Learning Path: https://docs.microsoft.com/en-us/learn/paths/build-workflows-with-logic-apps/
  • SocInABox's avatar
    SocInABox
    Iron Contributor
    Oct 14, 2021

    Thanks Gary, I've added a step #4: review ALL variables.

    I know exactly what you're referring to!

    In general when you replace any logic app containing variables it's good to review all 'downstream' logic to ensure it's not affected by the change.

     

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Oct 14, 2021
    Don't forget to check the rest of your Logic App to make sure you were not using dynamic data from either the trigger or action you deleted. Not saying why I know to do this 😉
  • SocInABox's avatar
    SocInABox
    Iron Contributor
    Oct 13, 2021

    If anyone needs the exact steps I took to convert my playbook from a user-triggered (alert based) playbook to a 'global automation' (incident based) playbook here they are:

     

    (warning, there is a cost to using automation rules, so if you trigger a lot of incidents you might want to keep tabs on the charges)

     

    How to convert an 'Alert' triggering playbook to an 'Incident' triggering playbook with a 'global automation rule' that will trigger for all of your incidents.

    1. Clone your old 'Alert triggering' playbook
    2. Replace the first logic app operator (the 'Sentinel alert' operator) with the 'Sentinel Incident' operator.

    3. Create an automation rule as shown in the screenshot below.

    4. Review ALL variables - if you see errors, then just delete and replace the variables so they are properly 'linked'.

     

    Optional: If you're using a parser operation to extract a field like 'entity', then your json parser will need to be updated.

     

    Optional: update incident arm id in any of your remaining Sentinel logic operators.

     

     

     

    Visual description of the steps above:

     

     

     

     

  • SocInABox's avatar
    SocInABox
    Iron Contributor
    Oct 13, 2021
    Interesting I didn't know run after was new.
    I saw that in the json for all the rules but the GUI exposure maybe is the new piece?

    One thing I'd like to have as a feature is an END operator, or a 'fail silently'.
    For example I don't like to see a 'failed' result if one parallel branch of my logic app fails and the other 3 branches succeed.
    I could use an if/then condition but I was hoping there was a way to end silently w/o failing.

    (that learning path is super basic, but thanks for sharing)