Automatically create incidents from Microsoft security alerts and send notification

Copper Contributor

Hello, we have trigger the rule "Automatically create incidents from Microsoft security alerts" and generate incidents successfully. However, we have no idea how to connect these kind of incidents (from security center) with notification email playbook of other sentinel rules. We know there is a notification setting in Security center. Is it possible to set the auto playbook for the incidents from Microsoft security alerts?

3 Replies

@cklonger As of right now, you cannot do it.   There is a private preview that, hopefully, will become a public preview soon that will allow this to occur.

Azure Sentinel Automation was announced at Ignite today so that should be showing up soon and that should handle your use case: https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-ignite-2021-what-s-new-in-azure-sent...
You can now achieve this with Automation Rules

https://docs.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules

Remember to adjust any playbook triggers to "When Azure Sentinel incident creation rule was triggered" to be able to use them in automation rules.