10-16-2019 05:27 AM
10-16-2019 05:27 AM
I'm trying to send an email notification when an alert is triggered in Sentinel. I've created a playbook using the "When a response to an Azure Sentinel alert is triggered" trigger and attached this to one of the built in analytics rules.
When the analytics rule fires and an incident is created, the playbook doesn't run. If I go into the full details of the incident and click view playbooks, the playbook is there and I can run it manually with no problem.
Can anyone provide some guidance into what I'm doing wrong? Or is there another way to receive email notifications when a new incident is raised? I don't really want to have to keep an eye on the incidents view all day to see when a new incident is raised.
10-16-2019 09:40 AM
@stupac86 Just to verify, when you edit the Analytics in question and you go to the "Automated Response" tab, your playbook is listed as "Selected playbook"? I have been bit my thinking I selected the playbook when I really hadn't
10-16-2019 11:22 AM
@Gary Bushey thanks for the reply. Yep, it's selected. Please see the attached screenshot.
10-21-2019 07:54 AM
I have the same issue, I can't automate playbooks to send me emails when new alerts are triggered. So far I have only turned on standard Microsoft alert templates present in the analytics tab and linked my alert playbook to all of them which I have turned on. However, non of them gave me "Real-time automation" tabs like in this Tutorial: Automate threat responses.
11-12-2019 01:07 AM
@stupac86 Even I am facing the same issue, I have to trigger the playbook manually to get the alerts. Have you had any luck so far? If yes, please suggest what was done.
11-19-2019 10:07 AM
@stupac86 did you get an answer from Microsoft for this issue ?
They uploaded documentation on november 11th regarding "Automate threat responses", but the feature doesn't seem to be available anymore ....
I myself am trying to automate a playbook in order to close false-positive alerts in sentinel, but i can't configure the default analytic rules (Like ASC alerts) to trigger the playbook.
11-20-2019 12:41 AM
I was going through this with Microsoft and came to know that when an alert is triggered from any other source other than Azure Sentinel, the playbook will not get triggered automatically.
Consider this example : You have an alert in MCAS and is forwarded to Sentinel, you will be able to see the alert in Sentinel with source name as "MCAS", but it will not trigger the playbook automatically. However, if you have an analytical rule in Azure sentinel that queries and triggers the same alert as per the schedule only then the playbook will be triggered.
Automatic triggering of playbooks from different sources via Sentinel is currently in preview.
I have been trying to simulate the same in our environment as to no yield. You might try this as well and let everyone know if this works.
Please do correct me if I am wrong.
04-14-2020 07:29 AM
I'm having the exact same issue 5 months after this thread stopped,
Open case with MS and they admit the Sentinel trigger does not work consistently, kind of critical in my view for a SIEM,
by Spen5903 on May 20, 2020
by Valon_Kolica on May 15, 2020
by tal_rosler on May 26, 2020
by Tzvia Gitlin Troyna on May 24, 2020
by Azure-Monitor-Team on May 21, 2020
Posted in Microsoft Ignite The Tour 2019 on February 14, 2020