Forum Discussion
Playbooks not triggering automatically when an alert is generated
Hi Folks,
I was going through this with Microsoft and came to know that when an alert is triggered from any other source other than Azure Sentinel, the playbook will not get triggered automatically.
Consider this example : You have an alert in MCAS and is forwarded to Sentinel, you will be able to see the alert in Sentinel with source name as "MCAS", but it will not trigger the playbook automatically. However, if you have an analytical rule in Azure sentinel that queries and triggers the same alert as per the schedule only then the playbook will be triggered.
Automatic triggering of playbooks from different sources via Sentinel is currently in preview.
I have been trying to simulate the same in our environment as to no yield. You might try this as well and let everyone know if this works.
Please do correct me if I am wrong.
Pranesh1060 : any news about the Sentinel trigger (preview) "When Azure Sentinel incident creation rule was triggered"? How to use it?
I tried to set the analytic rules (incident-based) with the Playbook using the new trigger but I got the error "Playbook XXXXXXX doesn't start with 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered' step!"
TIA
Davide
- JKatzmanduNov 23, 2020Brass Contributor
DavideB So I ran into this at one point; I added a "delay" of one minute to my workflow so the Alert will be successfully created and written into Sentinel when it's sent out. This fixed that problem, so whenever a Sentinel Analytics rule would fire and I had the Workbook hooked in through a Sentinel Analytics Rule to a "When a response to an Azure Sentinel alert is triggered" it would work.
Now I'm experimenting with the "private preview" for when an "Incident" is created, as we want to forward not just Sentinel rules, but all alerts from all products. My confusion is how do I like the Incident Creation trigger to the rules that are "Create an Incident from MCAS Alert"-style Analytics rules?
- Ofer_ShezafJul 12, 2020Microsoft
DavideB: the incident trigger is currently in private preview. The way things work, the Logic App connector support for it cannot be private and hence you see it documented.
- luizao_lfOct 28, 2020Copper Contributor
I am facing the same problem. Just to confirm, while I am with (Private View only), I am unable to use in the Sentinel? It is?
Do you have any indication not to send email when the alert is created, but an incident is already open and the alert is grouped for that incident?
I am getting created creation emails, but they are being grouped together in the same incident, so they are not considered new incidents for dealing with time.
As the e-mail is sent for ticket management, more than one incident is created, however, no new incidents were created, rather, alerts grouped in the same incident.
I would be grateful for some kind of help.
- DavideBJul 18, 2020Copper ContributorThank you!