Oct 24 2019 08:23 PM
Oct 24 2019 08:23 PM
'No playbooks to run' at Alert - New Playbooks. Playbooks space shows enabled security playbooks that passed test runs in the same subscription and same location. Automated response tab when editing rule has 'No playbooks to display'. What can cause this? Thanks.
Oct 26 2019 08:02 AMSolution
@John_Joyner It appears that only those playbooks that have the "Trigger kind" set to "Azure Sentinel" (AKA it uses the Sentinel trigger) will show up when trying to add automation to an Analysis. Are any of your playbooks set to do this?
Oct 26 2019 05:55 PM
@Gary Bushey thank you for the pointer, I learned i was picking the wrong Logic App (one for Azure Security Center) rather than Sentinel. The trigger wasn't set to Sentinel as you diagnosed.
Jan 13 2021 05:16 PM
Hello, this may be outdated but I have the same issue and I'm actually using the Azure Sentinel trigger kind.
I utilizes the "When Azure sentinel incident rule was triggered" entry point.
And I still can't see it in the available playbooks for automation.
Jan 14 2021 05:13 AM
@mjamati The trigger you have selected is only useable when used in conjunction with a private preview program. It is useable for regular playbooks quite yet. For now, use the alert trigger rather than the incident trigger.
Mar 25 2021 11:20 AM
Hi, thanks for your instructions. It's been a while so not sure anyone is reading this post, but, we actually have the alert trigger, but the automation does not show any of the playbook. Any thought?
Mar 25 2021 12:26 PM
@ken5scal1995 The new automation feature requires that your playbooks use the new "When Azure Sentinel incident create rule was trigger" rather than the old one that triggered off an alert. The nice thing is that now you get all the Incident and Alert information in that one trigger, rather than having to get the alert information and use it to get the Incident information.
Mar 25 2021 05:38 PM
@Gary Bushey ohhh Ic. Let me try it out. Thanks!
>The new automation feature requires that your playbooks use the new "When Azure Sentinel incident create rule was trigger" rather than the old one that triggered off an alert.