SOLVED

Playbooks appear in playbooks list, but not available for automated response (bis)

Occasional Contributor

Following: Playbooks appear in playbooks list, but not available for automated response (solved but not relevan...

And: Unable to add playbook to automated incident response for Azure Sentinel (Not relevant)

Assoc. Doc. https://docs.microsoft.com/fr-fr/azure/sentinel/tutorial-respond-threats-playbook )


Hi Microsoft,
I created a Logic App with handler "when incident creation in Sentinel rule was Triggered"*.

I got Read rights on the RG and Logic Apps operator & Contributor + Sentinel contributor.

I can see my LogicApp in the playbook thumb (enabled, with good trigger descirption), yet I can't see it when creating automation from "Automation" thumb. (Rule : "If analytics name contains : All")

Is it a bug? Did I miss something?

 

EDIT 07-20: added with Subscription owner rights the RG access to Sentinel Automation, giving "Azure Sentinel Automation Contributor"rights to “Azure Security Insights” on the resource group. Source. No effect.
* I18n approximative from French.

4 Replies

Hi @rodtrent,

Thank you for your answer. That one was rather tricky, interface is not clear for automation for this subject.

I successfully applied right permission to my user (I got Sub owner account in parallel) AND followed your tutorial (from : https://docs.microsoft.com/fr-fr/azure/sentinel/tutorial-respond-threats-playbook). All rights are OK in RG IAM, I can see "Security Insights" having Automation rights (please note that my Logic App is in the same RG as Sentinel).

Not my user, nor even Owner can see playbook anyway in the "New automation rule" menu.

best response confirmed by jeffazure (Occasional Contributor)
Solution
I found it! it was a bug!

When a logic App is created with the wrong trigger at first (alert instead of incident), it's not seen by Automation rule plaubook menu (normal).

But even when afterwards trigger is changed to "Incident rule was created", playbook type is still not updated, so Automation rule can't see it.

had to delete my Logic App and recreate it to make it work.
Oh boy...

You had me checking everything. You should report that bug if you can. I'll highlight it internally, too.