How to use 'When Azure Sentinel incident creation rule was triggered' trigger in playbook

%3CLINGO-SUB%20id%3D%22lingo-sub-1452943%22%20slang%3D%22en-US%22%3EHow%20to%20use%20'When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered'%20trigger%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1452943%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20team%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20wondering%20can%20this%20trigger%20'When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered'%26nbsp%3Bbe%20used%3F%3F%3C%2FP%3E%3CP%3EI%20am%20unable%20to%20select%20the%20playbook%20having%20this%20trigger%20in%20any%20alert%20rule%20created%20under%20Azure%20Sentinel%20analytics.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20please%20help%20me%20out%20with%20this.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20want%20a%20playbook%20to%20be%20triggered%20using%20this%20trigger%20and%20post%20the%20incident%20details%20to%20Slack%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1452943%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnalytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConnector%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eincident%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELogic%20apps%20execution%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPlaybook%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1453332%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20'When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered'%20trigger%20in%20playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1453332%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20the%20same%20problem.%20I%20have%20been%20trying%20to%20set%20incident%20e-mail%20notifications%20during%20many%20days%20but%20never%20have%20achieved%20the%20desired%20result.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20set%20the%20alert%20starting%20with%20%22When%20a%20repsonse%20to%20an%20Azure%20Sentinel%20alert%20is%20triggered%22%20the%20dynamic%20options%20they%20give%20you%20are%20so%20poor.%20You%20can%20not%20add%20the%20incident%20URL%20(which%20I%20think%20it%20is%20so%20basic!)%26nbsp%3B%20and%20also%20if%20you%20want%20to%20see%20IP%20and%20users%20you%20have%20to%20parse%20with%20JSON%20format%20and%20take%20that%20values%20from%20there.%20But%20the%20result%20it%20is%20not%20the%20desired%20because%20the%20IP%20and%20users%2C%20Azure%20Sentinel%20treat%20them%20as%20individual%20entities%20so%20it%20is%20impossible%20to%20take%20them%20with%20some%20logic%20(for%20example%2C%20something%20so%20basic%3A%20IP%2010.10.10.10%20with%20USER%20Federico).%20Moreover%2C%20if%20you%20do%20something%20like%20this%20you%20will%20receive%20as%20many%20e-mails%20as%20entities%20appear%20in%20the%20alert!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20hand%2C%20if%20you%20put%20this%20in%20a%20dynamic%20HTML%20table%2C%20then%20the%20table%20also%20won't%20have%20much%20sense%20because%20will%20appear%20the%20entities%20with%20no%20relation%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20next%20step%20I%20have%20tried%20is%20about%20alert%20type%20%22When%20Azure%20Sentinel%20incident%20creatin%20rule%20was%20triggered%22.%20Here%20it%20seems%20they%20provide%20you%20with%20more%20dynamic%20options%20(url%20from%20incident%2C%20IP%2C%20users...)%2C%20it%20seems%20this%20option%20has%20all%20what%20I%20need%20(and%20probably%20what%20most%20users%20need)%20but%20this%20alert%20does%20not%20work%20fine!%20If%20you%20go%20to%20an%20incident%20and%20try%20to%20execute%20this%20playbook%20is%20as%20simple%20as%20this%20playbook%20does%20not%20appear!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20please%2C%20do%20something%20about%20all%20this%2C%20it%20has%20no%20sense%20at%20all.%20And%20lot%20of%20clients%20are%20%22playing%22%20and%20using%20Azure%20Sentinel%20because%20it%20is%20suposed%20to%20be%20a%20nice%20product.%20But%20not%20for%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1453474%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20'When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered'%20trigger%20in%20playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1453474%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F693835%22%20target%3D%22_blank%22%3E%40uditk14%3C%2FA%3E%26nbsp%3BSince%20this%20feature%20is%20part%20of%20a%20private%20preview%2C%20you%20would%20probably%20have%20better%20luck%20using%20the%20form%20or%20the%20Email%20addresses%20to%20get%20assistance%20with%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1830120%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20'When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered'%20trigger%20in%20playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1830120%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20facing%20the%20same%20problem.%20Just%20to%20confirm%2C%20while%20I%20am%20with%20(Private%20View%20only)%2C%20I%20am%20unable%20to%20use%20in%20the%20Sentinel%3F%20It%20is%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20indication%20not%20to%20send%20email%20when%20the%20alert%20is%20created%2C%20but%20an%20incident%20is%20already%20open%20and%20the%20alert%20is%20grouped%20for%20that%20incident%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%20created%20creation%20emails%2C%20but%20they%20are%20being%20grouped%20together%20in%20the%20same%20incident%2C%20so%20they%20are%20not%20considered%20new%20incidents%20for%20dealing%20with%20time.%3C%2FP%3E%3CP%3EAs%20the%20e-mail%20is%20sent%20for%20ticket%20management%2C%20more%20than%20one%20incident%20is%20created%2C%20however%2C%20no%20new%20incidents%20were%20created%2C%20rather%2C%20alerts%20grouped%20in%20the%20same%20incident.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20be%20grateful%20for%20some%20kind%20of%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi team

 

I have been wondering can this trigger 'When Azure Sentinel incident creation rule was triggered' be used??

I am unable to select the playbook having this trigger in any alert rule created under Azure Sentinel analytics. 

 

Can someone please help me out with this. 

I just want a playbook to be triggered using this trigger and post the incident details to Slack

3 Replies

Hi,

I have the same problem. I have been trying to set incident e-mail notifications during many days but never have achieved the desired result.

 

If you set the alert starting with "When a repsonse to an Azure Sentinel alert is triggered" the dynamic options they give you are so poor. You can not add the incident URL (which I think it is so basic!)  and also if you want to see IP and users you have to parse with JSON format and take that values from there. But the result it is not the desired because the IP and users, Azure Sentinel treat them as individual entities so it is impossible to take them with some logic (for example, something so basic: IP 10.10.10.10 with USER Federico). Moreover, if you do something like this you will receive as many e-mails as entities appear in the alert!

 

On the other hand, if you put this in a dynamic HTML table, then the table also won't have much sense because will appear the entities with no relation too.

 

The next step I have tried is about alert type "When Azure Sentinel incident creatin rule was triggered". Here it seems they provide you with more dynamic options (url from incident, IP, users...), it seems this option has all what I need (and probably what most users need) but this alert does not work fine! If you go to an incident and try to execute this playbook is as simple as this playbook does not appear!

 

Microsoft please, do something about all this, it has no sense at all. And lot of clients are "playing" and using Azure Sentinel because it is suposed to be a nice product. But not for now.

@uditk14 Since this feature is part of a private preview, you would probably have better luck using the form or the Email addresses to get assistance with this.

@Gary Bushey 

I am facing the same problem. Just to confirm, while I am with (Private View only), I am unable to use in the Sentinel? It is?

 

Do you have any indication not to send email when the alert is created, but an incident is already open and the alert is grouped for that incident?

 

I am getting created creation emails, but they are being grouped together in the same incident, so they are not considered new incidents for dealing with time.

As the e-mail is sent for ticket management, more than one incident is created, however, no new incidents were created, rather, alerts grouped in the same incident.

 

I would be grateful for some kind of help.