Unable to add playbook to automated incident response for Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2059103%22%20slang%3D%22en-US%22%3EUnable%20to%20add%20playbook%20to%20automated%20incident%20response%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059103%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20a%20playbook%20using%20an%20Azure%20Sentinel%20Incident%20creation%20trigger%2C%20which%20shows%20up%20as%20in%20preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20test%20everything%20from%20the%20playbook%20itself%3A%20it's%20able%20to%20generate%20an%20email%20and%2For%20slack%20message%20depending%20on%20the%20situation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20when%20going%20to%20azure%20sentinel%20incident%20rule%20settings%2C%20no%20playbook%20show%20up%20as%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20confirm%20that%20if%20I%20list%20all%20configured%20playbooks%2C%20that%20one%20shows%20an%20%3CSTRONG%3EAzure%20Sentinel%20Incident%20(preview)%3C%2FSTRONG%3E%20trigger%20kind.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2059719%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20playbook%20to%20automated%20incident%20response%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059719%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F928404%22%20target%3D%22_blank%22%3E%40mjamati%3C%2FA%3E%26nbsp%3BIs%20the%20Analytics%20rule%20with%20which%20you%20are%20trying%20to%20add%20the%20Playbook%20a%20custom%20rule%20created%20by%20you%20or%20default%20one%2FFusion%20Rule%20built%20by%20Microsoft%3F%3C%2FP%3E%3CP%3EFor%20Fusion%20rule%2C%20you%20won't%20be%20able%20to%20attach%20a%20Playbook.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2059932%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20playbook%20to%20automated%20incident%20response%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059932%22%20slang%3D%22en-US%22%3EThis%20is%20a%20private%20preview%20and%20can%20only%20be%20accessed%20through%20the%20private%20preview%20program.%3CBR%20%2F%3EIf%20you%20have%20an%20active%20NDA%20with%20Microsoft%2C%20you%20could%20enroll%20into%20the%20program%20%3D%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

I created a playbook using an Azure Sentinel Incident creation trigger, which shows up as in preview.

 

I can test everything from the playbook itself: it's able to generate an email and/or slack message depending on the situation.

 

However, when going to azure sentinel incident rule settings, no playbook show up as available.

 

I can confirm that if I list all configured playbooks, that one shows an Azure Sentinel Incident (preview) trigger kind. 

3 Replies

@mjamati Is the Analytics rule with which you are trying to add the Playbook a custom rule created by you or default one/Fusion Rule built by Microsoft?

For Fusion/Default rule created by Microsoft, you won't be able to attach a Playbook. The feature is currently not in Public Preview.

This is a private preview and can only be accessed through the private preview program.
If you have an active NDA with Microsoft, you could enroll into the program => https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFS...
Can we attach the playbook to the fusion rule? As you are saying it is in public preview, where is the option to do it? Can you help me with this process, please?