SOLVED

Playbooks appear in playbooks list, but not available for automated response

%3CLINGO-SUB%20id%3D%22lingo-sub-950513%22%20slang%3D%22en-US%22%3EPlaybooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-950513%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E'No%20playbooks%20to%20run'%20at%20Alert%20-%20New%20Playbooks.%20Playbooks%20space%20shows%20enabled%20security%20playbooks%20that%20passed%20test%20runs%20in%20the%20same%20subscription%20and%20same%20location.%20Automated%20response%20tab%20when%20editing%20rule%20has%20'No%20playbooks%20to%20display'.%26nbsp%3B%20What%20can%20cause%20this%3F%20Thanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-956530%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-956530%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F379245%22%20target%3D%22_blank%22%3E%40John_Joyner%3C%2FA%3E%26nbsp%3BIt%20appears%20that%20only%20those%20playbooks%20that%20have%20the%20%22Trigger%20kind%22%20set%20to%20%22Azure%20Sentinel%22%20(AKA%20it%20uses%20the%20Sentinel%20trigger)%20will%20show%20up%20when%20trying%20to%20add%20automation%20to%20an%20Analysis.%26nbsp%3B%20Are%20any%20of%20your%20playbooks%20set%20to%20do%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-957287%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-957287%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20the%20pointer%2C%20I%20learned%20i%20was%20picking%20the%20wrong%20Logic%20App%20(one%20for%20Azure%20Security%20Center)%20rather%20than%20Sentinel.%20The%20trigger%20wasn't%20set%20to%20Sentinel%20as%20you%20diagnosed.%3C%2FP%3E%3CP%3EBest%2C%3C%2FP%3E%3CP%3EJohn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2059101%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%2C%20this%20may%20be%20outdated%20but%20I%20have%20the%20same%20issue%20and%20I'm%20actually%20using%20the%20Azure%20Sentinel%20trigger%20kind.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20utilizes%20the%20%22When%20Azure%20sentinel%20incident%20rule%20was%20triggered%22%20entry%20point.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I%20still%20can't%20see%20it%20in%20the%20available%20playbooks%20for%20automation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2060697%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2060697%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F928404%22%20target%3D%22_blank%22%3E%40mjamati%3C%2FA%3E%26nbsp%3BThe%20trigger%20you%20have%20selected%20is%20only%20useable%20when%20used%20in%20conjunction%20with%20a%20private%20preview%20program.%26nbsp%3B%20It%20is%20useable%20for%20regular%20playbooks%20quite%20yet.%26nbsp%3B%20For%20now%2C%20use%20the%20alert%20trigger%20rather%20than%20the%20incident%20trigger.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

'No playbooks to run' at Alert - New Playbooks. Playbooks space shows enabled security playbooks that passed test runs in the same subscription and same location. Automated response tab when editing rule has 'No playbooks to display'.  What can cause this? Thanks.

4 Replies
Best Response confirmed by John_Joyner (Occasional Contributor)
Solution

@John_Joyner It appears that only those playbooks that have the "Trigger kind" set to "Azure Sentinel" (AKA it uses the Sentinel trigger) will show up when trying to add automation to an Analysis.  Are any of your playbooks set to do this?

 

@Gary Bushey thank you for the pointer, I learned i was picking the wrong Logic App (one for Azure Security Center) rather than Sentinel. The trigger wasn't set to Sentinel as you diagnosed.

Best,

John

@Gary Bushey 

Hello, this may be outdated but I have the same issue and I'm actually using the Azure Sentinel trigger kind.

 

I utilizes the "When Azure sentinel incident rule was triggered" entry point.

 

And I still can't see it in the available playbooks for automation.

 

Any thoughts?

@mjamati The trigger you have selected is only useable when used in conjunction with a private preview program.  It is useable for regular playbooks quite yet.  For now, use the alert trigger rather than the incident trigger.