cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to add playbook to automated incident response for Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2059103%22%20slang%3D%22en-US%22%3EUnable%20to%20add%20playbook%20to%20automated%20incident%20response%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059103%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20a%20playbook%20using%20an%20Azure%20Sentinel%20Incident%20creation%20trigger%2C%20which%20shows%20up%20as%20in%20preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20test%20everything%20from%20the%20playbook%20itself%3A%20it's%20able%20to%20generate%20an%20email%20and%2For%20slack%20message%20depending%20on%20the%20situation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20when%20going%20to%20azure%20sentinel%20incident%20rule%20settings%2C%20no%20playbook%20show%20up%20as%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20confirm%20that%20if%20I%20list%20all%20configured%20playbooks%2C%20that%20one%20shows%20an%20%3CSTRONG%3EAzure%20Sentinel%20Incident%20(preview)%3C%2FSTRONG%3E%20trigger%20kind.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2059719%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20playbook%20to%20automated%20incident%20response%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059719%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F928404%22%20target%3D%22_blank%22%3E%40mjamati%3C%2FA%3E%26nbsp%3BIs%20the%20Analytics%20rule%20with%20which%20you%20are%20trying%20to%20add%20the%20Playbook%20a%20custom%20rule%20created%20by%20you%20or%20default%20one%2FFusion%20Rule%20built%20by%20Microsoft%3F%3C%2FP%3E%3CP%3EFor%20Fusion%20rule%2C%20you%20won't%20be%20able%20to%20attach%20a%20Playbook.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2059932%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20playbook%20to%20automated%20incident%20response%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059932%22%20slang%3D%22en-US%22%3EThis%20is%20a%20private%20preview%20and%20can%20only%20be%20accessed%20through%20the%20private%20preview%20program.%3CBR%20%2F%3EIf%20you%20have%20an%20active%20NDA%20with%20Microsoft%2C%20you%20could%20enroll%20into%20the%20program%20%3D%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u%3C%2FA%3E%3C%2FLINGO-BODY%3E
mjamati
New Contributor

‎Jan 13 2021 05:21 PM

‎Jan 13 2021 05:21 PM

Unable to add playbook to automated incident response for Azure Sentinel

I created a playbook using an Azure Sentinel Incident creation trigger, which shows up as in preview.

 

I can test everything from the playbook itself: it's able to generate an email and/or slack message depending on the situation.

 

However, when going to azure sentinel incident rule settings, no playbook show up as available.

 

I can confirm that if I list all configured playbooks, that one shows an Azure Sentinel Incident (preview) trigger kind. 

309 Views
0 Likes
3 Replies
Reply
3 Replies
AnuragSrivastava

‎Jan 14 2021 12:32 AM - edited ‎Jan 14 2021 12:37 AM

‎Jan 14 2021 12:32 AM - edited ‎Jan 14 2021 12:37 AM

Re: Unable to add playbook to automated incident response for Azure Sentinel

@mjamati Is the Analytics rule with which you are trying to add the Playbook a custom rule created by you or default one/Fusion Rule built by Microsoft?

For Fusion/Default rule created by Microsoft, you won't be able to attach a Playbook. The feature is currently not in Public Preview.

0 Likes
Reply
Thijs Lecomte

‎Jan 14 2021 01:37 AM

‎Jan 14 2021 01:37 AM

Re: Unable to add playbook to automated incident response for Azure Sentinel

This is a private preview and can only be accessed through the private preview program.
If you have an active NDA with Microsoft, you could enroll into the program => https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFS...
0 Likes
Reply
printscreen

‎Feb 25 2021 05:12 AM

‎Feb 25 2021 05:12 AM

Re: Unable to add playbook to automated incident response for Azure Sentinel

Can we attach the playbook to the fusion rule? As you are saying it is in public preview, where is the option to do it? Can you help me with this process, please?
0 Likes
Reply