Forum Discussion

AdiGrio's avatar
AdiGrio
Brass Contributor
Jan 03, 2020

Sentinel alerts stopped running playbooks

I have at least four instances of Sentinel where the alerts create the incidents but don't run the associated playbooks. This seemed to have started somewhere around Dec 30th. There are no failed runs for the logic apps, and if I trigger the playbook from the incident detailed view, it works without any problem. 

 

I have scheduled logic apps (using the Recurrence trigger) and they work fine but those that are supposed to be triggered by an Azure Sentinel alert are not running even though there are alerts raised.

 

I opened a ticket with Microsoft but I didn't receive any reply so far.

 

Regards,

Adrian

  • Neil2020's avatar
    Neil2020
    Copper Contributor
    Apr 07, 2020

    AdiGrio 

     

    Having the exact same issues, has there been any progress?

     

    Tried the workaround you suggested but no success,

     

    Thanks

    Neil

    • AdiGrio's avatar
      AdiGrio
      Brass Contributor
      Apr 08, 2020

      Neil2020 It just fixed by itself after a couple of days, we didn't have to do anything.

      • Neil2020's avatar
        Neil2020
        Copper Contributor
        Apr 08, 2020

        AdiGrio 

         

        Wow, still broken for me so raised a suport case, they have said it is being escalated so I will wait,

         

        Thanks for responding

  • OskarEnfo's avatar
    OskarEnfo
    Copper Contributor
    Jan 03, 2020
    I got the same issue and raised a ticket on 30/12. Triggering the playbooks manually from the incidents works as a work around. Been in touch with the support just now and it seems to be a general issue thats being worked on so MS is aware and working on it.
    • AdiGrio's avatar
      AdiGrio
      Brass Contributor
      Jan 03, 2020

      An interesting thing, I created a dummy playbook, assigned it to the alert and it worked. I switched back to the original playbook and now the alert triggers it.

      • leoszalkowski's avatar
        leoszalkowski
        Brass Contributor
        Jan 03, 2020

        AdiGrio That's odd. 

         

        So you assigned the alert the new dummy playbook and reassigned the alert the old playbook?

  • leoszalkowski's avatar
    leoszalkowski
    Brass Contributor
    Jan 03, 2020

    Also having the same issue across 3 tenants. Problem started for us around 9am EST on the 31st. 

     

    I can run them manually within the Incident details page, but triggers are failing if I run them in the Logic App page.

     

    After some digging around in the logic app code, I looked at the raw output of the block that's failing I found that the header is not populating correctly and the body is not populating at all.

    • AdiGrio's avatar
      AdiGrio
      Brass Contributor
      Jan 03, 2020

      leoszalkowski I've seen your post and the problem looks quite similar. 

       

      The playbook would not work if one triggers the "Sentinel Alert" manually because is missing the data from the alert itself. For this reason, when used from the Incident details interface, the playbook works because it is receiving the alert details.

       

      I don't think this is a problem with the playbooks as they are not showing with failed runs. Most likely is an issue with the Azure Sentinel Logic App trigger (that's still in Preview mode). I will create a new playbook from scratch and see if it makes any difference.

      • leoszalkowski's avatar
        leoszalkowski
        Brass Contributor
        Jan 03, 2020

        AdiGrio You're probably right. That's probably why the raw output of the trigger block isn't populating properly. 

         

         

Resources