Create Playbook from Microsoft Security Rule Type

%3CLINGO-SUB%20id%3D%22lingo-sub-1387633%22%20slang%3D%22en-US%22%3ECreate%20Playbook%20from%20Microsoft%20Security%20Rule%20Type%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387633%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20create%20a%20playbook%20off%20of%20alerts%20generated%20by%20alerts%20that%20are%20of%20the%20Microsoft%20Security%20Rule%20Type%3F%20In%20this%20case%20I%20am%20wanting%20to%20create%20a%20playbook%20off%20of%20alerts%20in%20Sentinel%20generated%20by%20Azure%20AD%20Identity%20Protection.%20When%20I%20go%20and%20edit%20the%20settings%20for%20other%20analytic%20rules%20there%20is%20a%20column%20for%20attaching%20a%20playbook%20but%20I%20noticed%20when%20I%20go%20into%20analytics%20created%20by%20Microsoft%20Security%20I%20cannot.%20Im%20assuming%20that%20I%20could%20take%20the%20query%20that%20the%20Identity%20protection%20connector%20is%20running%20and%20create%20a%20custom%20analytic%20and%20then%20attach%20a%20playbook%20to%20that%20but%20I%20was%20just%20seeing%20if%20there%20was%20an%20easier%20way%20to%20do%20this%20first.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387710%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20Playbook%20from%20Microsoft%20Security%20Rule%20Type%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387710%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F445249%22%20target%3D%22_blank%22%3E%40twessel%3C%2FA%3E%20That's%20not%20currently%20available.%20You%20can%20only%20assign%20automated%20responses%20to%20Scheduled%20Rules.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Can you create a playbook off of alerts generated by alerts that are of the Microsoft Security Rule Type? In this case I am wanting to create a playbook off of alerts in Sentinel generated by Azure AD Identity Protection. When I go and edit the settings for other analytic rules there is a column for attaching a playbook but I noticed when I go into analytics created by Microsoft Security I cannot. Im assuming that I could take the query that the Identity protection connector is running and create a custom analytic and then attach a playbook to that but I was just seeing if there was an easier way to do this first.

1 Reply
Highlighted

@twessel That's not currently available. You can only assign automated responses to Scheduled Rules.