SOLVED

Playbooks appear in playbooks list, but not available for automated response

%3CLINGO-SUB%20id%3D%22lingo-sub-950513%22%20slang%3D%22en-US%22%3EPlaybooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-950513%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E'No%20playbooks%20to%20run'%20at%20Alert%20-%20New%20Playbooks.%20Playbooks%20space%20shows%20enabled%20security%20playbooks%20that%20passed%20test%20runs%20in%20the%20same%20subscription%20and%20same%20location.%20Automated%20response%20tab%20when%20editing%20rule%20has%20'No%20playbooks%20to%20display'.%26nbsp%3B%20What%20can%20cause%20this%3F%20Thanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-956530%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-956530%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F379245%22%20target%3D%22_blank%22%3E%40John_Joyner%3C%2FA%3E%26nbsp%3BIt%20appears%20that%20only%20those%20playbooks%20that%20have%20the%20%22Trigger%20kind%22%20set%20to%20%22Azure%20Sentinel%22%20(AKA%20it%20uses%20the%20Sentinel%20trigger)%20will%20show%20up%20when%20trying%20to%20add%20automation%20to%20an%20Analysis.%26nbsp%3B%20Are%20any%20of%20your%20playbooks%20set%20to%20do%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-957287%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-957287%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20the%20pointer%2C%20I%20learned%20i%20was%20picking%20the%20wrong%20Logic%20App%20(one%20for%20Azure%20Security%20Center)%20rather%20than%20Sentinel.%20The%20trigger%20wasn't%20set%20to%20Sentinel%20as%20you%20diagnosed.%3C%2FP%3E%3CP%3EBest%2C%3C%2FP%3E%3CP%3EJohn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2059101%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%2C%20this%20may%20be%20outdated%20but%20I%20have%20the%20same%20issue%20and%20I'm%20actually%20using%20the%20Azure%20Sentinel%20trigger%20kind.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20utilizes%20the%20%22When%20Azure%20sentinel%20incident%20rule%20was%20triggered%22%20entry%20point.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I%20still%20can't%20see%20it%20in%20the%20available%20playbooks%20for%20automation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2060697%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2060697%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F928404%22%20target%3D%22_blank%22%3E%40mjamati%3C%2FA%3E%26nbsp%3BThe%20trigger%20you%20have%20selected%20is%20only%20useable%20when%20used%20in%20conjunction%20with%20a%20private%20preview%20program.%26nbsp%3B%20It%20is%20useable%20for%20regular%20playbooks%20quite%20yet.%26nbsp%3B%20For%20now%2C%20use%20the%20alert%20trigger%20rather%20than%20the%20incident%20trigger.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2235794%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2235794%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20thanks%20for%20your%20instructions.%20It's%20been%20a%20while%20so%20not%20sure%20anyone%20is%20reading%20this%20post%2C%20but%2C%20we%20actually%20have%20the%20alert%20trigger%2C%20but%20the%20automation%20does%20not%20show%20any%20of%20the%20playbook.%20Any%20thought%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2236039%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20appear%20in%20playbooks%20list%2C%20but%20not%20available%20for%20automated%20response%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2236039%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1008833%22%20target%3D%22_blank%22%3E%40ken5scal1995%3C%2FA%3E%26nbsp%3BThe%20new%20automation%20feature%20requires%20that%20your%20playbooks%20use%20the%20new%20%22When%20Azure%20Sentinel%20incident%20create%20rule%20was%20trigger%22%20rather%20than%20the%20old%20one%20that%20triggered%20off%20an%20alert.%26nbsp%3B%20%26nbsp%3BThe%20nice%20thing%20is%20that%20now%20you%20get%20all%20the%20Incident%20and%20Alert%20information%20in%20that%20one%20trigger%2C%20rather%20than%20having%20to%20get%20the%20alert%20information%20and%20use%20it%20to%20get%20the%20Incident%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

'No playbooks to run' at Alert - New Playbooks. Playbooks space shows enabled security playbooks that passed test runs in the same subscription and same location. Automated response tab when editing rule has 'No playbooks to display'.  What can cause this? Thanks.

7 Replies
best response confirmed by John_Joyner (Occasional Contributor)
Solution

@John_Joyner It appears that only those playbooks that have the "Trigger kind" set to "Azure Sentinel" (AKA it uses the Sentinel trigger) will show up when trying to add automation to an Analysis.  Are any of your playbooks set to do this?

 

@Gary Bushey thank you for the pointer, I learned i was picking the wrong Logic App (one for Azure Security Center) rather than Sentinel. The trigger wasn't set to Sentinel as you diagnosed.

Best,

John

@Gary Bushey 

Hello, this may be outdated but I have the same issue and I'm actually using the Azure Sentinel trigger kind.

 

I utilizes the "When Azure sentinel incident rule was triggered" entry point.

 

And I still can't see it in the available playbooks for automation.

 

Any thoughts?

@mjamati The trigger you have selected is only useable when used in conjunction with a private preview program.  It is useable for regular playbooks quite yet.  For now, use the alert trigger rather than the incident trigger.

@Gary Bushey 

Hi, thanks for your instructions. It's been a while so not sure anyone is reading this post, but, we actually have the alert trigger, but the automation does not show any of the playbook. Any thought?

@ken5scal1995 The new automation feature requires that your playbooks use the new "When Azure Sentinel incident create rule was trigger" rather than the old one that triggered off an alert.   The nice thing is that now you get all the Incident and Alert information in that one trigger, rather than having to get the alert information and use it to get the Incident information.

@Gary Bushey  ohhh Ic. Let me try it out. Thanks!

 

>The new automation feature requires that your playbooks use the new "When Azure Sentinel incident create rule was trigger" rather than the old one that triggered off an alert.