What’s new: Automation rules

Published Mar 17 2021 05:41 AM 5,083 Views
Microsoft

Security teams are often burdened with a growing number and complexity of security incidents. Automation offers a path to handling the long series of repetitive tasks involved in incident triage, investigation and response, letting analysts focus on the most important incidents and allowing SOCs to achieve more with the resources they have.

 

Automation rules are a new concept in Azure Sentinel, which allows you to manage the automation of incident handling centrally. Besides letting you assign playbooks to incidents from every source, automation rules also allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, and control the order in which actions are executed. Automation rules are meant to simplify automation use in Azure Sentinel while allowing you better control and visibility.

 

What are automation rules?

Automation rules are comprised of several parts:

  • Trigger – automation rules are triggered when an incident is created.
  • Conditions – a comprehensive set of conditions on the incident and entity details to control if the actions should be executed.
  • Actions – actions that will be executed, in order, if the conditions are met. The actions supported now are:
    • Running a playbook
    • Changing the status of an incident
    • Changing the severity of an incident 
    • Assigning an incident to an owner
    • Adding a tag to an incident 

Automation rules are executed in an order defined by the user and can also be set to expire after a defined period. More triggers, conditions, and actions will be introduced in the future.

 

Ely_Abramovitch_0-1615983311344.png

 

Sample use cases and scenarios

 

Incident suppression

Automatically resolve incidents that are known false or benign positives without the use of playbooks. For example, when running penetration tests, doing scheduled maintenance or upgrades, or testing automation procedures, many false-positive incidents may be created that the SOC wants to ignore. A time-limited automation rule can automatically close these incidents as they are created while tagging them with a descriptor of their generation's cause.

 

Playbook management

View all playbooks that are triggered by analytic rules and assign playbooks to multiple analytic rules centrally. For example, if all your incidents are exported to an external system, you can define it once and apply it to all rules.

 

Incident-triggered automation

Until now, only alerts could trigger an automated response using playbooks. With automation rules, incidents can now trigger an automated response as well.

 

Automatic assignment

You can assign incidents to the right owner automatically. If your SOC has an analyst specializing in a particular platform, any incidents relating to that platform can be automatically assigned to that analyst.

 

Multiple sequenced playbooks/actions in a single rule

You can now control the order of execution of actions and playbooks and the execution of the automation rules themselves. This allows you to greatly simplify your playbooks, reducing them to a single task or a small, straightforward sequence of tasks, and combine these small playbooks in different combinations in different automation rules.

 

Further reading

 

 

5 Comments
Occasional Contributor

Joseph-Abraham_0-1616050445399.png

 

@Ely_Abramovitch I guess it should be Incident here.

Occasional Contributor

Joseph-Abraham_0-1616050551945.png

 

New Contributor

Is there any other criteria to use playbooks (logic apps) in Automation rules, other than "Giving Sentinel permissions to run playbooks"? I manage two Sentinel workspaces, and after the update which introduced automation and after successfully giving Sentinel permissions to the workspace where the logic apps are located (same resource group as Sentinel), I'm not able to select the playbooks in the automation rule.

 

 

Automation issue 1.png

 

Automation issue 4.png

 

Automation issue 3.png

 

Automation issue 2.png

 

 

 

Contributor

@Nexxic

 

I hit the same issue

 

You have to change the trigger in your playbook to Azure Sentinel Incident - not Azure Sentinel Alert

 

PJR_CDF_0-1617102162611.png

PJR_CDF_1-1617102209005.png

 

Once you have done this, they will be visible and able to be selected in Automation Rules

Occasional Contributor

I had a playbook that's used for closing the incident when its triggered via SNOW. After these changes, I am not able to associate the playbook to any of the analytic rules. Any recommendations? 

%3CLINGO-SUB%20id%3D%22lingo-sub-2216926%22%20slang%3D%22en-US%22%3EWhat%E2%80%99s%20new%3A%20Automation%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2216926%22%20slang%3D%22en-US%22%3E%3CP%3ESecurity%20teams%20are%20often%20burdened%20with%20a%20growing%20number%20and%20complexity%20of%20security%20incidents.%20Automation%20offers%20a%20path%20to%20handling%20the%20long%20series%20of%20repetitive%20tasks%20involved%20in%20incident%20triage%2C%20investigation%20and%20response%2C%20letting%20analysts%20focus%20on%20the%20most%20important%20incidents%20and%20allowing%20SOCs%20to%20achieve%20more%20with%20the%20resources%20they%20have.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAutomation%20rules%20are%20a%20new%20concept%20in%20Azure%20Sentinel%2C%20which%20allows%20you%20to%20manage%20the%20automation%20of%20incident%20handling%20centrally.%20Besides%20letting%20you%20assign%20playbooks%20to%20incidents%20from%20every%20source%2C%20automation%20rules%20also%20allow%20you%20to%20automate%20responses%20for%20multiple%20analytics%20rules%20at%20once%2C%20automatically%20tag%2C%20assign%2C%20or%20close%20incidents%20without%20the%20need%20for%20playbooks%2C%20and%20control%20the%20order%20in%20which%20actions%20are%20executed.%20Automation%20rules%20are%20meant%20to%20simplify%20automation%20use%20in%20Azure%20Sentinel%20while%20allowing%20you%20better%20control%20and%20visibility.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1297728917%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%20id%3D%22toc-hId-1297728975%22%3EWhat%20are%20automation%20rules%3F%3C%2FH1%3E%0A%3CP%3EAutomation%20rules%20are%20comprised%20of%20several%20parts%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ETrigger%3C%2FSTRONG%3E%20%E2%80%93%20automation%20rules%20are%20triggered%20when%20an%20incident%20is%20created.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EConditions%3C%2FSTRONG%3E%20%E2%80%93%20a%20comprehensive%20set%20of%20conditions%20on%20the%20incident%20and%20entity%20details%20to%20control%20if%20the%20actions%20should%20be%20executed.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EActions%3C%2FSTRONG%3E%20%E2%80%93%20actions%20that%20will%20be%20executed%2C%20in%20order%2C%20if%20the%20conditions%20are%20met.%20The%20actions%20supported%20now%20are%3A%3CUL%3E%0A%3CLI%3ERunning%20a%20playbook%3C%2FLI%3E%0A%3CLI%3EChanging%20the%20status%20of%20an%20incident%3C%2FLI%3E%0A%3CLI%3EChanging%20the%20severity%20of%20an%20incident%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAssigning%20an%20incident%20to%20an%20owner%3C%2FLI%3E%0A%3CLI%3EAdding%20a%20tag%20to%20an%20incident%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAutomation%20rules%20are%20executed%20in%20an%20order%20defined%20by%20the%20user%20and%20can%20also%20be%20set%20to%20expire%20after%20a%20defined%20period.%20More%20triggers%2C%20conditions%2C%20and%20actions%20will%20be%20introduced%20in%20the%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ely_Abramovitch_0-1615983311344.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F264812i3EB926992EE451F5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Ely_Abramovitch_0-1615983311344.png%22%20alt%3D%22Ely_Abramovitch_0-1615983311344.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--509725546%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%20id%3D%22toc-hId--509725488%22%3ESample%20use%20cases%20and%20scenarios%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-180835928%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%20id%3D%22toc-hId-180835986%22%3EIncident%20suppression%3C%2FH2%3E%0A%3CP%3EAutomatically%20resolve%20incidents%20that%20are%20known%20false%20or%20benign%20positives%20without%20the%20use%20of%20playbooks.%20For%20example%2C%20when%20running%20penetration%20tests%2C%20doing%20scheduled%20maintenance%20or%20upgrades%2C%20or%20testing%20automation%20procedures%2C%20many%20false-positive%20incidents%20may%20be%20created%20that%20the%20SOC%20wants%20to%20ignore.%20A%20time-limited%20automation%20rule%20can%20automatically%20close%20these%20incidents%20as%20they%20are%20created%20while%20tagging%20them%20with%20a%20descriptor%20of%20their%20generation's%20cause.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1626618535%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%20id%3D%22toc-hId--1626618477%22%3EPlaybook%20management%3C%2FH2%3E%0A%3CP%3EView%20all%20playbooks%20that%20are%20triggered%20by%20analytic%20rules%20and%20assign%20playbooks%20to%20multiple%20analytic%20rules%20centrally.%20For%20example%2C%20if%20all%20your%20incidents%20are%20exported%20to%20an%20external%20system%2C%20you%20can%20define%20it%20once%20and%20apply%20it%20to%20all%20rules.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-860894298%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%20id%3D%22toc-hId-860894356%22%3EIncident-triggered%20automation%3C%2FH2%3E%0A%3CP%3EUntil%20now%2C%20only%20alerts%20could%20trigger%20an%20automated%20response%20using%20playbooks.%20With%20automation%20rules%2C%20incidents%20can%20now%20trigger%20an%20automated%20response%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--946560165%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%20id%3D%22toc-hId--946560107%22%3EAutomatic%20assignment%3C%2FH2%3E%0A%3CP%3EYou%20can%20assign%20incidents%20to%20the%20right%20owner%20automatically.%20If%20your%20SOC%20has%20an%20analyst%20specializing%20in%20a%20particular%20platform%2C%20any%20incidents%20relating%20to%20that%20platform%20can%20be%20automatically%20assigned%20to%20that%20analyst.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1540952668%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%20id%3D%22toc-hId-1540952726%22%3EMultiple%20sequenced%20playbooks%2Factions%20in%20a%20single%20rule%3C%2FH2%3E%0A%3CP%3EYou%20can%20now%20control%20the%20order%20of%20execution%20of%20actions%20and%20playbooks%20and%20the%20execution%20of%20the%20automation%20rules%20themselves.%20This%20allows%20you%20to%20greatly%20simplify%20your%20playbooks%2C%20reducing%20them%20to%20a%20single%20task%20or%20a%20small%2C%20straightforward%20sequence%20of%20tasks%2C%20and%20combine%20these%20small%20playbooks%20in%20different%20combinations%20in%20different%20automation%20rules.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--266501795%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%20id%3D%22toc-hId--266501737%22%3EFurther%20reading%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fautomation-in-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIntroduction%20to%20automation%20in%20Azure%20Sentinel%20%7C%20Microsoft%20Docs%3C%2FA%3E%20(Introduction%20to%20SOAR)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fautomate-incident-handling-with-automation-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAutomate%20incident%20handling%20in%20Azure%20Sentinel%20%7C%20Microsoft%20Docs%3C%2FA%3E%20(Concept%20-%20automation%20rules)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fautomate-responses-with-playbooks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAutomate%20threat%20response%20with%20playbooks%20in%20Azure%20Sentinel%20%7C%20Microsoft%20Docs%3C%2FA%3E%20(Concept%20-%20playbooks)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-respond-threats-playbook%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETutorial%3A%20Use%20playbooks%20with%20automation%20rules%20in%20Azure%20Sentinel%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2216926%22%20slang%3D%22en-US%22%3E%3CP%3EStreamline%20your%20automation%20usage%20in%20Azure%20Sentinel%20with%20the%20new%20Automation%20Rules%2C%20making%20your%20SOC%20more%20efficient%20and%20effective.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2216926%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAutomation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESOAR%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2219292%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Automation%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2219292%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Joseph-Abraham_0-1616050551945.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F265132i40D2FF64560B0808%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Joseph-Abraham_0-1616050551945.png%22%20alt%3D%22Joseph-Abraham_0-1616050551945.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2219290%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Automation%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2219290%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Joseph-Abraham_0-1616050445399.png%22%20style%3D%22width%3A%201261px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F265131i4F87DCEBB38EA424%2Fimage-dimensions%2F1261x145%3Fv%3Dv2%22%20width%3D%221261%22%20height%3D%22145%22%20role%3D%22button%22%20title%3D%22Joseph-Abraham_0-1616050445399.png%22%20alt%3D%22Joseph-Abraham_0-1616050445399.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F624382%22%20target%3D%22_blank%22%3E%40Ely_Abramovitch%3C%2FA%3E%26nbsp%3BI%20guess%20it%20should%20be%20Incident%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2242319%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Automation%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2242319%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20other%20criteria%20to%20use%20playbooks%20(logic%20apps)%20in%20Automation%20rules%2C%20other%20than%20%22Giving%20Sentinel%20permissions%20to%20run%20playbooks%22%3F%20I%20manage%20two%20Sentinel%20workspaces%2C%20and%20after%20the%20update%20which%20introduced%20automation%20and%20after%20successfully%20giving%20Sentinel%20permissions%20to%20the%20workspace%20where%20the%20logic%20apps%20are%20located%20(same%20resource%20group%20as%20Sentinel)%2C%20I'm%20not%20able%20to%20select%20the%20playbooks%20in%20the%20automation%20rule.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Automation%20issue%201.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F267894i0DFF6A9C5FB8B41E%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Automation%20issue%201.png%22%20alt%3D%22Automation%20issue%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Automation%20issue%204.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F267896iAF80BD9931DFF102%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Automation%20issue%204.png%22%20alt%3D%22Automation%20issue%204.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Automation%20issue%203.png%22%20style%3D%22width%3A%20314px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F267895i2A45FEA34C0B4EF2%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Automation%20issue%203.png%22%20alt%3D%22Automation%20issue%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Automation%20issue%202.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F267897i509DD48D68513DD8%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Automation%20issue%202.png%22%20alt%3D%22Automation%20issue%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2244295%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Automation%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2244295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F416232%22%20target%3D%22_blank%22%3E%40Nexxic%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hit%20the%20same%20issue%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20have%20to%20change%20the%20trigger%20in%20your%20playbook%20to%20Azure%20Sentinel%20Incident%20-%20not%20Azure%20Sentinel%20Alert%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PJR_CDF_0-1617102162611.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F268219i3164B578469C5E97%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22PJR_CDF_0-1617102162611.png%22%20alt%3D%22PJR_CDF_0-1617102162611.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PJR_CDF_1-1617102209005.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F268220i6F04A1D3B0E25F20%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22PJR_CDF_1-1617102209005.png%22%20alt%3D%22PJR_CDF_1-1617102209005.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you%20have%20done%20this%2C%20they%20will%20be%20visible%20and%20able%20to%20be%20selected%20in%20Automation%20Rules%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2268545%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20new%3A%20Automation%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2268545%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20a%20playbook%20that's%20used%20for%20closing%20the%20incident%20when%20its%20triggered%20via%20SNOW.%20After%20these%20changes%2C%20I%20am%20not%20able%20to%20associate%20the%20playbook%20to%20any%20of%20the%20analytic%20rules.%20Any%20recommendations%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Mar 17 2021 11:02 PM
Updated by: