Forum Discussion
Entity playbook in XDR
Hello All!
In my Logic Apps Sentinel automations I often use the entity trigger to run some workflows. Some time ago there was information, that Sentinel will be moved to the Microsoft XDR, some of the Sentinel elements are already there. In XDR I can run playbook from the incident level, but I can't do it from the entity level - for example in the XDR when I clicked in the IP or when I open IP address page I can't find the Run playbook button or something like that.
Do you know if the Run playbook on entity feature will be moved to XDR also?
Best,
Piotr K.
3 Replies
Yes, he has, in the XDR and Entra context. But I have some automations on the entity level that sends the entity to blocking on some third party systems and from XDR I can't do it. And I don't want to grab all the entities from incident or alert, because I could block something that shouldn't be blocked.
Yes, he has, in the context of the XDR or Entra. But I have some automations on the entity level to automate blocking it in some third party systems, and I can't do it from the XDR. And I don't want to get all the entities from one incident or alert to not block something that shouldn't be blocked.
This is one of the things most MSPs are complaining about, there is nothing regarding entity playbooks execution in the roadmap, so chances are this functionality will not be part of the migration.
That being said, consider refactoring your master playbooks.
We are leveraging azure durable functions to automate enrichment and also entity level blocking if required whenever certain thresholds are met so that we can remove manual executions.
Also, defender XDR portal has many entity level operations
- revoke tokens
- mark user as compromised
- block account
- block IP, URL, FileHash
- some more
