SOLVED

Create Incidents Based on (Microsoft Technology Connectors) Playbook issues

%3CLINGO-SUB%20id%3D%22lingo-sub-1489646%22%20slang%3D%22en-US%22%3EMicrosoft%20Stack%20Playbook%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1489646%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20managed%20to%20create%20a%20playbook%20which%20will%20alert%20or%20take%20action%20on%20alerts%20which%20occur%20from%20any%20of%20the%20rules%20%22Create%20incidents%20based%20on%20(Microsoft%20Stack%20Technology%20e.g.%20MDATP%2C%20MCAS%2C%20AATP%20etc.)%22%20within%20Azure%20Sentinel%2C%20Without%20needing%20another%20analytics%20rule%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20managed%20to%20alert%20on%20the%20incidents%20from%20the%20technologies%20using%20my%20own%20analytics%20rule%20pulling%20the%20events%20from%20the%20incidents%20table.%20Within%20this%20analytics%20rule%20I've%20attached%20a%20playbook%20which%20will%20then%20alert%20on%20these%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20be%20interesting%20to%20see%20how%20other%20people%20have%20overcome%20this%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1489646%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPlaybook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1491939%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20Incidents%20Based%20on%20(Microsoft%20Technology%20Connectors)%20Playbook%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1491939%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F553664%22%20target%3D%22_blank%22%3E%40arran1580%3C%2FA%3E%26nbsp%3BThis%20is%20coming%20soon.%26nbsp%3B%20If%20you%20are%20interested%2C%20I%20would%20sign%20up%20for%20the%20Azure%20Sentinel%20private%20previews%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all,

 

Has anyone managed to create a playbook which will alert or take action on alerts which occur from any of the rules "Create incidents based on (Microsoft Stack Technology e.g. MDATP, MCAS, AATP etc.)" within Azure Sentinel, Without needing another analytics rule?

 

I've managed to alert on the incidents from the technologies using my own analytics rule pulling the events from the incidents table. Within this analytics rule I've attached a playbook which will then alert on these rules.

 

Would be interesting to see how other people have overcome this issue.

1 Reply
best response confirmed by arran1580 (Occasional Contributor)
Solution

@arran1580 This is coming soon.  If you are interested, I would sign up for the Azure Sentinel private previews