Adding playbooks to Microsoft Security out-of-the-box alert rule templates

%3CLINGO-SUB%20id%3D%22lingo-sub-982959%22%20slang%3D%22en-US%22%3EAdding%20playbooks%20to%20Microsoft%20Security%20out-of-the-box%20alert%20rule%20templates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-982959%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20find%20a%20way%20to%20attach%20a%20playbook%20to%20the%20default%20Microsoft%20Security%20alert%20rules%20in%20Azure%20Sentinel.%20I%20am%20referring%20to%20the%20rules%20that%20automatically%20create%20Azure%20Sentinel%20incidents%20from%20alerts%20in%20other%20connected%20Microsoft%20security%20products%20(e.g.%20WDATP%2C%20Azure%20ATP%2C%20MCAS%2C%20etc.).%20The%20idea%20is%20that%20we've%20created%20a%20playbook(logic%20app)%20which%20automatically%20notifies%20a%20specific%20team%20via%20email%20and%20logs%20an%20incident%20in%20Service%20Now%2C%20We%20can%20attach%20the%20playbook%20to%20the%20other%20alert%20rules%20from%20the%20%22Automated%20Response%22%20tab%20when%20creating%20the%20rule%20from%20a%20template.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154857i640F187601C37F9A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EHowever%2C%20when%20you%20create%20an%20alert%20rule%20from%20a%20Microsoft%20Security%20default%20template%20(e.g.%20%22%3CFONT%3ECreate%20incidents%20based%20on%20Azure%20Advanced%20Threat%20Protection%20alerts%3C%2FFONT%3E%22)%20you%20do%20not%20have%20this%20option%20(the%20%22Automated%20Response%22%20tab)%2C%20hence%20you%20cannot%20attach%20a%20playbook%20to%20run%20automatically%20when%20an%20incident%20from%20this%20rule%20is%20created%20in%20Sentinel.%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20be%20able%20to%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20that%20after%20the%20incident%20is%20created%20you%20can%20run%20the%20playbook%20manually%2C%20but%20the%20goal%20would%20be%20to%20run%20it%20automatically%20for%20this%20type%20of%20incidents%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-983410%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20playbooks%20to%20Microsoft%20Security%20out-of-the-box%20alert%20rule%20templates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-983410%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193664%22%20target%3D%22_blank%22%3E%40Cristian%20Calinescu%3C%2FA%3E%26nbsp%3BYou%20will%20need%20to%20create%20a%20playbook%20where%20trigger%20is%20alert%20in%20whatever%20Azure%20Security%20tool%20you%20want%20to%20monitor%20alerts%20in%2C%20like%20Azure%20Security%20center%20or%20Advanced%20Threat%20Protection.%20Then%20you%20can%20trigger%20playbooks%20when%20such%20alerts%20are%20created.%20For%20example%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F154906iAF177FCADB3C74B7%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-987381%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20playbooks%20to%20Microsoft%20Security%20out-of-the-box%20alert%20rule%20templates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-987381%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F444133%22%20target%3D%22_blank%22%3E%40GunarsL%3C%2FA%3E-%20Thanks%20for%20the%20reply.%20This%20works%20indeed%2C%20but%20only%20for%20WDATP%20and%20Azure%20Security%20Center%20alerts.%20There%20is%20no%20trigger%20connector%20for%20%3CSTRONG%3EAzure%20ATP%2C%20Microsoft%20Cloud%20App%20Security%20or%20O365%20ATP%20alerts%3C%2FSTRONG%3E.%20Any%20further%20advise%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999561%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20playbooks%20to%20Microsoft%20Security%20out-of-the-box%20alert%20rule%20templates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999561%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20have%20any%20other%20ideas%20in%20regards%20to%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1525711%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20playbooks%20to%20Microsoft%20Security%20out-of-the-box%20alert%20rule%20templates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1525711%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Bthis%20one%20has%20been%20open%20a%20while.%20Are%20we%20likely%20to%20get%20functionality%20where%20we%20can%20run%20automated%20responses%20for%20all%20rule%20types%3F%20It%20really%20breaks%20up%20workflows%20where%20they're%20intended%20to%20be%20managed%20in%20other%20tools%20(Jira%2C%20SNow).%20Operators%20now%20need%20to%20be%20eyes%20on%20glass%20in%20Sentinel%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20workaround%20we're%20aware%20of%20is%20to%20write%20a%20scheduled%20rule%20(for%20each%20severity)%20that%20searches%20the%26nbsp%3BSecurityAlert%20table%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsad_40x40_1.gif%22%20alt%3D%22%3Asad%3A%22%20title%3D%22%3Asad%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1526023%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20playbooks%20to%20Microsoft%20Security%20out-of-the-box%20alert%20rule%20templates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1526023%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456796%22%20target%3D%22_blank%22%3E%40pemontto%3C%2FA%3E%26nbsp%3B%3A%20the%20feature%20is%20currently%20in%20private%20preview.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all,

I am trying to find a way to attach a playbook to the default Microsoft Security alert rules in Azure Sentinel. I am referring to the rules that automatically create Azure Sentinel incidents from alerts in other connected Microsoft security products (e.g. WDATP, Azure ATP, MCAS, etc.). The idea is that we've created a playbook(logic app) which automatically notifies a specific team via email and logs an incident in Service Now, We can attach the playbook to the other alert rules from the "Automated Response" tab when creating the rule from a template.Capture.PNG

 

However, when you create an alert rule from a Microsoft Security default template (e.g. "Create incidents based on Azure Advanced Threat Protection alerts") you do not have this option (the "Automated Response" tab), hence you cannot attach a playbook to run automatically when an incident from this rule is created in Sentinel.

Is there any way to be able to this? 

I know that after the incident is created you can run the playbook manually, but the goal would be to run it automatically for this type of incidents as well.

5 Replies
Highlighted

@Cristian Calinescu You will need to create a playbook where trigger is alert in whatever Azure Security tool you want to monitor alerts in, like Azure Security center or Advanced Threat Protection. Then you can trigger playbooks when such alerts are created. For example:

clipboard_image_0.png

Highlighted

@GunarsL- Thanks for the reply. This works indeed, but only for WDATP and Azure Security Center alerts. There is no trigger connector for Azure ATP, Microsoft Cloud App Security or O365 ATP alerts. Any further advise?

Highlighted

Does anyone have any other ideas in regards to this?

Highlighted

Hi @Ofer_Shezaf this one has been open a while. Are we likely to get functionality where we can run automated responses for all rule types? It really breaks up workflows where they're intended to be managed in other tools (Jira, SNow). Operators now need to be eyes on glass in Sentinel as well.

 

The only workaround we're aware of is to write a scheduled rule (for each severity) that searches the SecurityAlert table :sad:

Highlighted

@pemontto : the feature is currently in private preview.