Logic Apps vs Playbooks and new Sentinel incident trigger

Contributor

Can someone explain to me the difference between playbooks and logic apps? It seems to me that every playbook is a logic app but not every logic app is really a playbook.

 

To my mind a playbook should be the automated response that kicks off when an event occurs like an incident being created so the playbook view should only show logic apps with specific triggers. The cross pollination of names and functionality here is confusing - though par for the course in Microsoft products in general.

 

I've just tried to use the new "When Azure Sentinel incident creation rule was triggered" trigger that's just entered preview but I cannot seem to add it to the automated response for my analytics rules even though it's listed in my playbooks.

 

Anybody had any luck with this actually working?

2 Replies

@endakelly A Playbook is a Logic App that is kicked-off using an Azure Sentinel trigger. 

 

Without the Azure Sentinel trigger its just a Logic App.

 

 

@endakelly, you need to confirm if that logic app has the trigger kind associated with "Azure Sentinel Alert", if you have you'll be able to use it with your alerts.
When your alert is created you can trigger it from within view details related to the alert.
Click on the alert -> View details -> View playbooks
Select the playbook and press on run.