Playbooks not triggering automatically when an alert is generated

%3CLINGO-SUB%20id%3D%22lingo-sub-916638%22%20slang%3D%22en-US%22%3EPlaybooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916638%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20send%20an%20email%20notification%20when%20an%20alert%20is%20triggered%20in%20Sentinel.%20I've%20created%20a%20playbook%20using%20the%20%22When%20a%20response%20to%20an%20Azure%20Sentinel%20alert%20is%20triggered%22%20trigger%20and%20attached%20this%20to%20one%20of%20the%20built%20in%20analytics%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20the%20analytics%20rule%20fires%20and%20an%20incident%20is%20created%2C%20the%20playbook%20doesn't%20run.%20If%20I%20go%20into%20the%20full%20details%20of%20the%20incident%20and%20click%20view%20playbooks%2C%20the%20playbook%20is%20there%20and%20I%20can%20run%20it%20manually%20with%20no%20problem.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20provide%20some%20guidance%20into%20what%20I'm%20doing%20wrong%3F%20Or%20is%20there%20another%20way%20to%20receive%20email%20notifications%20when%20a%20new%20incident%20is%20raised%3F%20I%20don't%20really%20want%20to%20have%20to%20keep%20an%20eye%20on%20the%20incidents%20view%20all%20day%20to%20see%20when%20a%20new%20incident%20is%20raised.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916857%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916857%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427256%22%20target%3D%22_blank%22%3E%40stupac86%3C%2FA%3E%26nbsp%3BJust%20to%20verify%2C%20when%20you%20edit%20the%20Analytics%20in%20question%20and%20you%20go%20to%20the%20%22Automated%20Response%22%20tab%2C%20your%20playbook%20is%20listed%20as%20%22Selected%20playbook%22%3F%26nbsp%3B%20I%20have%20been%20bit%20my%20thinking%20I%20selected%20the%20playbook%20when%20I%20really%20hadn't%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916979%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916979%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20reply.%20Yep%2C%20it's%20selected.%20Please%20see%20the%20attached%20screenshot.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-922412%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-922412%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3EI%20have%20the%20same%20issue%2C%20I%20can't%20automate%20playbooks%20to%20send%20me%20emails%20when%20new%20alerts%20are%20triggered.%20So%20far%20I%20have%20only%20turned%20on%20standard%20Microsoft%20alert%20templates%20present%20in%20the%20analytics%20tab%20and%20linked%20my%20alert%20playbook%20to%20all%20of%20them%20which%20I%20have%20turned%20on.%20However%2C%20non%20of%20them%20gave%20me%20%22Real-time%20automation%22%20tabs%20like%20in%20this%20%3CA%20title%3D%22Tutorial%3A%20Set%20up%20automated%20threat%20responses%20in%20Azure%20Sentinel%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-respond-threats-playbook%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ETutorial%3A%20Automate%20threat%20responses.%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1001479%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1001479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427256%22%20target%3D%22_blank%22%3E%40stupac86%3C%2FA%3E%26nbsp%3B%20Even%20I%20am%20facing%20the%20same%20issue%2C%20I%20have%20to%20trigger%20the%20playbook%20manually%20to%20get%20the%20alerts.%20Have%20you%20had%20any%20luck%20so%20far%3F%20If%20yes%2C%20please%20suggest%20what%20was%20done.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018133%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018133%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427256%22%20target%3D%22_blank%22%3E%40stupac86%3C%2FA%3E%26nbsp%3Bdid%20you%20get%20an%20answer%20from%20Microsoft%20for%20this%20issue%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThey%20uploaded%20documentation%20on%20november%2011th%20regarding%20%22Automate%20threat%20responses%22%2C%20but%20the%20feature%20doesn't%20seem%20to%20be%20available%20anymore%20....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20myself%20am%20trying%20to%20automate%20a%20playbook%20in%20order%20to%20close%20false-positive%20alerts%20in%20sentinel%2C%20but%20i%20can't%20configure%20the%20default%20analytic%20rules%20(Like%20ASC%20alerts)%20to%20trigger%20the%20playbook.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1019833%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1019833%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F427256%22%20target%3D%22_blank%22%3E%40stupac86%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20going%20through%20this%20with%20Microsoft%20and%20came%20to%20know%20that%20when%20an%20alert%20is%20triggered%20from%20any%20other%20source%20other%20than%20Azure%20Sentinel%2C%20the%20playbook%20will%20not%20get%20triggered%20automatically.%26nbsp%3B%3C%2FP%3E%3CP%3EConsider%20this%20example%20%3A%20You%20have%20an%20alert%20in%20MCAS%20and%20is%20forwarded%20to%20Sentinel%2C%20you%20will%20be%20able%20to%20see%20the%20alert%20in%20Sentinel%20with%20source%20name%20as%20%22MCAS%22%2C%20but%20it%20will%20not%20trigger%20the%20playbook%20automatically.%20However%2C%20if%20you%20have%20an%20analytical%20rule%20in%20Azure%20sentinel%20that%20queries%20and%20triggers%20the%20same%20alert%20as%20per%20the%20schedule%20only%20then%20the%20playbook%20will%20be%20triggered.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAutomatic%20triggering%20of%20playbooks%20from%20different%20sources%20via%20Sentinel%20is%20currently%20in%20preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20trying%20to%20simulate%20the%20same%20in%20our%20environment%20as%20to%20no%20yield.%20You%20might%20try%20this%20as%20well%20and%20let%20everyone%20know%20if%20this%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20do%20correct%20me%20if%20I%20am%20wrong.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1305884%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1305884%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428046%22%20target%3D%22_blank%22%3E%40Pranesh1060%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20having%20the%20exact%20same%20issue%205%20months%20after%20this%20thread%20stopped%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOpen%20case%20with%20MS%20and%20they%20admit%20the%20Sentinel%20trigger%20does%20not%20work%20consistently%2C%20kind%20of%20critical%20in%20my%20view%20for%20a%20SIEM%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1506013%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506013%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428046%22%20target%3D%22_blank%22%3E%40Pranesh1060%3C%2FA%3E%26nbsp%3B%3A%20any%20news%20about%20the%20Sentinel%20trigger%20(preview)%20%22When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%22%3F%26nbsp%3BHow%20to%20use%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20set%20the%20analytic%20rules%20(incident-based)%20with%20the%20Playbook%20using%20the%20new%20trigger%26nbsp%3B%20but%20I%20got%20the%20error%20%22Playbook%20XXXXXXX%20doesn't%20start%20with%20'When_a_response_to_an_Azure_Sentinel_alert_is_triggered'%20step!%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETIA%3C%2FP%3E%3CP%3EDavide%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1517290%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1517290%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F266146%22%20target%3D%22_blank%22%3E%40DavideB%3C%2FA%3E%3A%20the%20incident%20trigger%20is%20currently%20in%20private%20preview.%20The%20way%20things%20work%2C%20the%20Logic%20App%20connector%20support%20for%20it%20cannot%20be%20private%20and%20hence%20you%20see%20it%20documented.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1530812%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1530812%22%20slang%3D%22en-US%22%3EThank%20you!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1830161%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1830161%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20facing%20the%20same%20problem.%20Just%20to%20confirm%2C%20while%20I%20am%20with%20(Private%20View%20only)%2C%20I%20am%20unable%20to%20use%20in%20the%20Sentinel%3F%20It%20is%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20indication%20not%20to%20send%20email%20when%20the%20alert%20is%20created%2C%20but%20an%20incident%20is%20already%20open%20and%20the%20alert%20is%20grouped%20for%20that%20incident%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%20created%20creation%20emails%2C%20but%20they%20are%20being%20grouped%20together%20in%20the%20same%20incident%2C%20so%20they%20are%20not%20considered%20new%20incidents%20for%20dealing%20with%20time.%3C%2FP%3E%3CP%3EAs%20the%20e-mail%20is%20sent%20for%20ticket%20management%2C%20more%20than%20one%20incident%20is%20created%2C%20however%2C%20no%20new%20incidents%20were%20created%2C%20rather%2C%20alerts%20grouped%20in%20the%20same%20incident.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20be%20grateful%20for%20some%20kind%20of%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1923447%22%20slang%3D%22en-US%22%3ERe%3A%20Playbooks%20not%20triggering%20automatically%20when%20an%20alert%20is%20generated%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1923447%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F266146%22%20target%3D%22_blank%22%3E%40DavideB%3C%2FA%3E%26nbsp%3BSo%20I%20ran%20into%20this%20at%20one%20point%3B%20I%20added%20a%20%22delay%22%20of%20one%20minute%20to%20my%20workflow%20so%20the%20Alert%20will%20be%20successfully%20created%20and%20written%20into%20Sentinel%20when%20it's%20sent%20out.%20This%20fixed%20that%20problem%2C%20so%20whenever%20a%20Sentinel%20Analytics%20rule%20would%20fire%20and%20I%20had%20the%20Workbook%20hooked%20in%20through%26nbsp%3B%20a%20Sentinel%20Analytics%20Rule%20to%20a%20%22When%20a%20response%20to%20an%20Azure%20Sentinel%20alert%20is%20triggered%22%20it%20would%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I'm%20experimenting%20with%20the%20%22private%20preview%22%20for%20when%20an%20%22Incident%22%20is%20created%2C%20as%20we%20want%20to%20forward%20not%20just%20Sentinel%20rules%2C%20but%20all%20alerts%20from%20all%20products.%20My%20confusion%20is%20how%20do%20I%20like%20the%20Incident%20Creation%20trigger%20to%20the%20rules%20that%20are%20%22Create%20an%20Incident%20from%20MCAS%20Alert%22-style%20Analytics%20rules%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi All,

 

I'm trying to send an email notification when an alert is triggered in Sentinel. I've created a playbook using the "When a response to an Azure Sentinel alert is triggered" trigger and attached this to one of the built in analytics rules.

 

When the analytics rule fires and an incident is created, the playbook doesn't run. If I go into the full details of the incident and click view playbooks, the playbook is there and I can run it manually with no problem. 

 

Can anyone provide some guidance into what I'm doing wrong? Or is there another way to receive email notifications when a new incident is raised? I don't really want to have to keep an eye on the incidents view all day to see when a new incident is raised.

 

Thanks.

 

 

12 Replies

@stupac86 Just to verify, when you edit the Analytics in question and you go to the "Automated Response" tab, your playbook is listed as "Selected playbook"?  I have been bit my thinking I selected the playbook when I really hadn't

@Gary Bushey thanks for the reply. Yep, it's selected. Please see the attached screenshot.

Hello

I have the same issue, I can't automate playbooks to send me emails when new alerts are triggered. So far I have only turned on standard Microsoft alert templates present in the analytics tab and linked my alert playbook to all of them which I have turned on. However, non of them gave me "Real-time automation" tabs like in this Tutorial: Automate threat responses. 

 

@stupac86  Even I am facing the same issue, I have to trigger the playbook manually to get the alerts. Have you had any luck so far? If yes, please suggest what was done.

@stupac86 did you get an answer from Microsoft for this issue ? 

 

They uploaded documentation on november 11th regarding "Automate threat responses", but the feature doesn't seem to be available anymore ....

 

I myself am trying to automate a playbook in order to close false-positive alerts in sentinel, but i can't configure the default analytic rules (Like ASC alerts) to trigger the playbook.

@stupac86 

 

Hi Folks,

 

I was going through this with Microsoft and came to know that when an alert is triggered from any other source other than Azure Sentinel, the playbook will not get triggered automatically. 

Consider this example : You have an alert in MCAS and is forwarded to Sentinel, you will be able to see the alert in Sentinel with source name as "MCAS", but it will not trigger the playbook automatically. However, if you have an analytical rule in Azure sentinel that queries and triggers the same alert as per the schedule only then the playbook will be triggered.

 

Automatic triggering of playbooks from different sources via Sentinel is currently in preview.

 

I have been trying to simulate the same in our environment as to no yield. You might try this as well and let everyone know if this works.

 

Please do correct me if I am wrong.

@Pranesh1060 

 

I'm having the exact same issue 5 months after this thread stopped,

 

Open case with MS and they admit the Sentinel trigger does not work consistently, kind of critical in my view for a SIEM,

@Pranesh1060 : any news about the Sentinel trigger (preview) "When Azure Sentinel incident creation rule was triggered"? How to use it?

 

I tried to set the analytic rules (incident-based) with the Playbook using the new trigger  but I got the error "Playbook XXXXXXX doesn't start with 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered' step!"

 

TIA

Davide 

@DavideB: the incident trigger is currently in private preview. The way things work, the Logic App connector support for it cannot be private and hence you see it documented. 

@Ofer_Shezaf 

I am facing the same problem. Just to confirm, while I am with (Private View only), I am unable to use in the Sentinel? It is?

 

Do you have any indication not to send email when the alert is created, but an incident is already open and the alert is grouped for that incident?

 

I am getting created creation emails, but they are being grouped together in the same incident, so they are not considered new incidents for dealing with time.

As the e-mail is sent for ticket management, more than one incident is created, however, no new incidents were created, rather, alerts grouped in the same incident.

 

I would be grateful for some kind of help.

@DavideB So I ran into this at one point; I added a "delay" of one minute to my workflow so the Alert will be successfully created and written into Sentinel when it's sent out. This fixed that problem, so whenever a Sentinel Analytics rule would fire and I had the Workbook hooked in through  a Sentinel Analytics Rule to a "When a response to an Azure Sentinel alert is triggered" it would work.

 

Now I'm experimenting with the "private preview" for when an "Incident" is created, as we want to forward not just Sentinel rules, but all alerts from all products. My confusion is how do I like the Incident Creation trigger to the rules that are "Create an Incident from MCAS Alert"-style Analytics rules?