Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Can't add playbook to incident automation of an analytics rule.

Copper Contributor

Hello,

whenever I add a playbook to the incident automation of an analytics rule i get this message after saving it:

photo_2021-10-18_16-28-55.jpg

 

The playbooks won't be added to the rule. Other actions like changing the status or assigning an owner are possible.

Does anyone know what the problem may be?

 

Thank you!

 

 

4 Replies
I don't see where you would be able to add a playbook directly to an automation rule. In the "Automated response" tab you either add a rule to the "Alert automation" section or add an automation rule to the "Incident automation" section. I can also see where you can change the status but not assign an owner (that is only done once an Incident is created).

Can you provide some screenshots?

@Gary Bushey 

 

Sure, here is a screenshot of what I'm trying to add.

And yes, I want to add it in the incident automation section.

 

analytics_rule.png

 

It's also listed on the Review and update screen

basc0_0-1634629585961.png

But when I save the rule, I get the message from the OP, that it's only partially saved and the automation rule is gone.

It sounds like you would need to open a ticket with Microsoft to get this resolved. In the meantime, can you create the same rule by going through Automation?

@Gary Bushey I tried to add the playbook directly in the incident overview, like:

photo_2021-10-20_16-02-15.jpg

 

After saving, I got an actual error message:

photo_2021-10-20_16-02-20.jpg

Which is discussed here: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-automation-preview-issue-with-p...