Playbook Triggering

%3CLINGO-SUB%20id%3D%22lingo-sub-1924319%22%20slang%3D%22en-US%22%3EPlaybook%20Triggering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1924319%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20working%20with%20playbooks%20and%20we%20want%20to%20get%20a%20copy%20of%20every%20Incident%20created%20in%20Sentinel%20sent%20to%20a%20centralised%20location.%20I%20originally%20implemented%20this%20with%20every%20Alert%20that%20fired%2C%20but%20that%20does%20not%20give%20every%20Incident%3B%20the%20Incidents%20created%20from%20other%20Sentinel%20components%20(MCAS%2C%20O365%2C%20PIM%2C%20etc)%20do%20not%20have%20the%20ability%20to%20launch%20a%20playbook%20like%20a%20regular%20Analytics%20Rule.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20recently%20saw%20the%20following%20option%20for%20a%20Playbook%20Trigger%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Screenshot%202020-11-23%20at%2016.13.15.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F235589i99A73564BBF9C626%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202020-11-23%20at%2016.13.15.png%22%20alt%3D%22Screenshot%202020-11-23%20at%2016.13.15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20cannot%20figure%20out%20how%20to%20reference%20it%20within%20any%20Analytics%20Rule%20or%20anywhere%20within%20Sentinel!%20It%20does%20not%20seem%20to%20fire%20on%20its%20own%20when%20Incidents%20are%20created.%20How%20is%20this%20supposed%20to%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1924319%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ealert%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENotification%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPlaybook%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esoar%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etriggering%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi everyone!

 

I'm working with playbooks and we want to get a copy of every Incident created in Sentinel sent to a centralised location. I originally implemented this with every Alert that fired, but that does not give every Incident; the Incidents created from other Sentinel components (MCAS, O365, PIM, etc) do not have the ability to launch a playbook like a regular Analytics Rule.

 

I recently saw the following option for a Playbook Trigger:

 

Screenshot 2020-11-23 at 16.13.15.png

 

However, I cannot figure out how to reference it within any Analytics Rule or anywhere within Sentinel! It does not seem to fire on its own when Incidents are created. How is this supposed to work?

3 Replies

@JKatzmandu This feature is still in private preview and, as far as I know, there is no official date for it to go to public preview.  It is a bit confusing that the trigger shows up without being able to use it.

 

 

@Gary Bushey That's good to know. It is mentioned in documentation, but scantly. I'm back to running a query every 5 minutes against the "SecurityIncident" table to search for "New" incidents and then forwarding them via e-mail. I have a Condition that checks for the existence of the "IncidentUrl" string in the query results. If it's there, send the e-mail. If not, nada.

Also doing the same but with one analytic per severity. Can't wait until this has a first class solution!