Forum Discussion
Sentinel Playbook help required
Hi there,
I am trying to create a logic app for when a new sentinel incident is triggered, it will check for the entities in the incident, compare it with a defined Entra ID group members, and if it matches, it will change the status to close the incident and it it does not match it will send an email.
Is it something, someone in the forum has already built? or is there someone who could help me achieve this logic?
Thank you.
1 Reply
- AndrewBlumhardt
Microsoft
If this is an incident based on a Sentinel rule, you are better off using automation rules for a small number of user exemptions. For a larger list I would add a list to the incident rule's KQL. This will achive the auto-close requirement and prevent response delays. There are email generating playbook samples provided, also look at the essentials solutions in the content hub. If you do decide to go with a custom playbook I would use an LLM to guide the creation. Build from a template or start fresh. I would use a watchlist to store your exclusion list for easier management.
