Forum Discussion
Unable to add playbook to automated incident response for Azure Sentinel
I created a playbook using an Azure Sentinel Incident creation trigger, which shows up as in preview.
I can test everything from the playbook itself: it's able to generate an email and/or slack message depending on the situation.
However, when going to azure sentinel incident rule settings, no playbook show up as available.
I can confirm that if I list all configured playbooks, that one shows an Azure Sentinel Incident (preview) trigger kind.
mjamati Is the Analytics rule with which you are trying to add the Playbook a custom rule created by you or default one/Fusion Rule built by Microsoft?
For Fusion/Default rule created by Microsoft, you won't be able to attach a Playbook. The feature is currently not in Public Preview.
- Can we attach the playbook to the fusion rule? As you are saying it is in public preview, where is the option to do it? Can you help me with this process, please?
- This is a private preview and can only be accessed through the private preview program.
If you have an active NDA with Microsoft, you could enroll into the program => https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u mjamati Bumping this .
I am also unable to add playbooks to a Fusion Rule. I am able to see some playbooks within the "run playbook - action" but not all including the one I wish to use. I also can't see any difference in the playbooks I can and can't see. They are in the same resource group ect.
Hcrossley I am able to see the "Advanced Multistage Attack Detection" fusion rule when I am look at the listing of all the rules. (ignore the blank entries in the list, that is another issue)
GaryBushey So my issue is when you select "run a playbook" It then only shows certain logic apps that can be run and not others. But I am unsure why it doesn't show them.
