Forum Discussion
Playbooks not triggering automatically when an alert is generated
Hi All,
I'm trying to send an email notification when an alert is triggered in Sentinel. I've created a playbook using the "When a response to an Azure Sentinel alert is triggered" trigger and attached this to one of the built in analytics rules.
When the analytics rule fires and an incident is created, the playbook doesn't run. If I go into the full details of the incident and click view playbooks, the playbook is there and I can run it manually with no problem.
Can anyone provide some guidance into what I'm doing wrong? Or is there another way to receive email notifications when a new incident is raised? I don't really want to have to keep an eye on the incidents view all day to see when a new incident is raised.
Thanks.
- GaryBusheyBronze Contributor
stupac86 Just to verify, when you edit the Analytics in question and you go to the "Automated Response" tab, your playbook is listed as "Selected playbook"? I have been bit my thinking I selected the playbook when I really hadn't
- stupac86Copper Contributor
- musthi1770Copper Contributor
Hello
I have the same issue, I can't automate playbooks to send me emails when new alerts are triggered. So far I have only turned on standard Microsoft alert templates present in the analytics tab and linked my alert playbook to all of them which I have turned on. However, non of them gave me "Real-time automation" tabs like in this Tutorial: Automate threat responses.
- Pranesh1060Brass Contributor
stupac86 Even I am facing the same issue, I have to trigger the playbook manually to get the alerts. Have you had any luck so far? If yes, please suggest what was done.
- PYB_01Copper Contributor
stupac86 did you get an answer from Microsoft for this issue ?
They uploaded documentation on november 11th regarding "Automate threat responses", but the feature doesn't seem to be available anymore ....
I myself am trying to automate a playbook in order to close false-positive alerts in sentinel, but i can't configure the default analytic rules (Like ASC alerts) to trigger the playbook.
- Pranesh1060Brass Contributor
Hi Folks,
I was going through this with Microsoft and came to know that when an alert is triggered from any other source other than Azure Sentinel, the playbook will not get triggered automatically.
Consider this example : You have an alert in MCAS and is forwarded to Sentinel, you will be able to see the alert in Sentinel with source name as "MCAS", but it will not trigger the playbook automatically. However, if you have an analytical rule in Azure sentinel that queries and triggers the same alert as per the schedule only then the playbook will be triggered.
Automatic triggering of playbooks from different sources via Sentinel is currently in preview.
I have been trying to simulate the same in our environment as to no yield. You might try this as well and let everyone know if this works.
Please do correct me if I am wrong.
- Neil2020Copper Contributor
I'm having the exact same issue 5 months after this thread stopped,
Open case with MS and they admit the Sentinel trigger does not work consistently, kind of critical in my view for a SIEM,
- DavideBCopper Contributor
Pranesh1060 : any news about the Sentinel trigger (preview) "When Azure Sentinel incident creation rule was triggered"? How to use it?
I tried to set the analytic rules (incident-based) with the Playbook using the new trigger but I got the error "Playbook XXXXXXX doesn't start with 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered' step!"
TIA
Davide
- Ofer_ShezafMicrosoft
DavideB: the incident trigger is currently in private preview. The way things work, the Logic App connector support for it cannot be private and hence you see it documented.