Forum Discussion
jeffazure
Jul 19, 2021Copper Contributor
Playbooks appear in playbooks list, but not available for automated response (bis)
Following: Playbooks appear in playbooks list, but not available for automated response (solved but not relevant) And: Unable to add playbook to automated incident response for Azure Sentinel (Not r...
- Jul 20, 2021I found it! it was a bug!
When a logic App is created with the wrong trigger at first (alert instead of incident), it's not seen by Automation rule plaubook menu (normal).
But even when afterwards trigger is changed to "Incident rule was created", playbook type is still not updated, so Automation rule can't see it.
had to delete my Logic App and recreate it to make it work.
Rod_Trent
Microsoft
Jul 19, 2021jeffazure Have you also set the Azure Sentinel Automation Contributor?
jeffazure
Jul 20, 2021Copper Contributor
Hi Rod_Trent,
Thank you for your answer. That one was rather tricky, interface is not clear for automation for this subject.
I successfully applied right permission to my user (I got Sub owner account in parallel) AND followed your tutorial (from : https://docs.microsoft.com/fr-fr/azure/sentinel/tutorial-respond-threats-playbook). All rights are OK in RG IAM, I can see "Security Insights" having Automation rights (please note that my Logic App is in the same RG as Sentinel).
Not my user, nor even Owner can see playbook anyway in the "New automation rule" menu.
- jeffazureJul 20, 2021Copper ContributorI found it! it was a bug!
When a logic App is created with the wrong trigger at first (alert instead of incident), it's not seen by Automation rule plaubook menu (normal).
But even when afterwards trigger is changed to "Incident rule was created", playbook type is still not updated, so Automation rule can't see it.
had to delete my Logic App and recreate it to make it work.- Rod_TrentJul 20, 2021
Microsoft
Oh boy...
You had me checking everything. You should report that bug if you can. I'll highlight it internally, too.