Unable to add playbook to automated incident response for Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2059103%22%20slang%3D%22en-US%22%3EUnable%20to%20add%20playbook%20to%20automated%20incident%20response%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059103%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20a%20playbook%20using%20an%20Azure%20Sentinel%20Incident%20creation%20trigger%2C%20which%20shows%20up%20as%20in%20preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20test%20everything%20from%20the%20playbook%20itself%3A%20it's%20able%20to%20generate%20an%20email%20and%2For%20slack%20message%20depending%20on%20the%20situation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20when%20going%20to%20azure%20sentinel%20incident%20rule%20settings%2C%20no%20playbook%20show%20up%20as%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20confirm%20that%20if%20I%20list%20all%20configured%20playbooks%2C%20that%20one%20shows%20an%20%3CSTRONG%3EAzure%20Sentinel%20Incident%20(preview)%3C%2FSTRONG%3E%20trigger%20kind.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2059719%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20playbook%20to%20automated%20incident%20response%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2059719%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F928404%22%20target%3D%22_blank%22%3E%40mjamati%3C%2FA%3E%26nbsp%3BIs%20the%20Analytics%20rule%20with%20which%20you%20are%20trying%20to%20add%20the%20Playbook%20a%20custom%20rule%20created%20by%20you%20or%20default%20one%2FFusion%20Rule%20built%20by%20Microsoft%3F%3C%2FP%3E%3CP%3EFor%20Fusion%20rule%2C%20you%20won't%20be%20able%20to%20attach%20a%20Playbook.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I created a playbook using an Azure Sentinel Incident creation trigger, which shows up as in preview.

 

I can test everything from the playbook itself: it's able to generate an email and/or slack message depending on the situation.

 

However, when going to azure sentinel incident rule settings, no playbook show up as available.

 

I can confirm that if I list all configured playbooks, that one shows an Azure Sentinel Incident (preview) trigger kind. 

2 Replies

@mjamati Is the Analytics rule with which you are trying to add the Playbook a custom rule created by you or default one/Fusion Rule built by Microsoft?

For Fusion/Default rule created by Microsoft, you won't be able to attach a Playbook. The feature is currently not in Public Preview.

This is a private preview and can only be accessed through the private preview program.
If you have an active NDA with Microsoft, you could enroll into the program => https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFS...