SOLVED

Run Playbook Action Blank Automation

%3CLINGO-SUB%20id%3D%22lingo-sub-2282512%22%20slang%3D%22en-US%22%3ERun%20Playbook%20Action%20Blank%20Automation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282512%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20All%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20select%20action%20the%20then%20Run%20Playbook%2C%20see%20screenshot%2C%20it%20get%20no%20available%20items%2C%20anyone%20else%20had%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282596%22%20slang%3D%22en-US%22%3ERe%3A%20Run%20Playbook%20Action%20Blank%20Automation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282596%22%20slang%3D%22en-US%22%3EYep%20that's%20solved%20it%2C%20made%20a%20test%20rule%20and%20change%20the%20triggering%20to%20Azure%20Sentinel%20Incident%20(Preview)%20thanks%20so%20much%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282582%22%20slang%3D%22en-US%22%3ERe%3A%20Run%20Playbook%20Action%20Blank%20Automation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282582%22%20slang%3D%22en-US%22%3EWhat%20is%20the%20first%20step%3F%20I%20think%20you%20are%20using%20a%20Playbook%20which%20should%20be%20triggered%20by%20an%20alert%2C%20instead%20of%20an%20incidents.%3CBR%20%2F%3E%3CBR%20%2F%3EIncident%20based%20Playbooks%20needs%20to%20be%20configured%20through%20automation%20rules%3CBR%20%2F%3EAlert%20based%20Playbooks%20through%20the%20Analytics%20Rule%20configuration%20(in%20the%20automation%20tab)%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-respond-threats-playbook%23respond-to-alerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-respond-threats-playbook%23respond-to-alerts%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282558%22%20slang%3D%22en-US%22%3ERe%3A%20Run%20Playbook%20Action%20Blank%20Automation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282558%22%20slang%3D%22en-US%22%3E%3CP%3ESure%20the%20attached%20is%20from%20the%20github%20playbook%20that%20we%20use%20to%20run%20an%20IP%20check%20against%20anonymous%26nbsp%3B%20IP%20Alerts%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282554%22%20slang%3D%22en-US%22%3ERe%3A%20Run%20Playbook%20Action%20Blank%20Automation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282554%22%20slang%3D%22en-US%22%3ECould%20you%20provide%20an%20overview%20of%20your%20Logic%20App%3F%20A%20screenshot%20of%20the%20top%20part%3F%3CBR%20%2F%3EThe%20trigger%20should%20be%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282553%22%20slang%3D%22en-US%22%3ERe%3A%20Run%20Playbook%20Action%20Blank%20Automation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282553%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20do%20have%20two%20of%20them%20linked%20to%20incidents%2C%20the%20rest%20are%20not.%20The%20account%20I'm%20using%20has%20owner%20level%20permissions.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282532%22%20slang%3D%22en-US%22%3ERe%3A%20Run%20Playbook%20Action%20Blank%20Automation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282532%22%20slang%3D%22en-US%22%3EDo%20you%20have%20any%20Playbooks%20configured%20with%20the%20Incident%20trigger%3F%20Do%20you%20have%20Logic%20App%20Contributor%20permission%20on%20the%20Logic%20Apps%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey All, 

 

When I select action the then Run Playbook, see screenshot, it get no available items, anyone else had this?

6 Replies
Do you have any Playbooks configured with the Incident trigger? Do you have Logic App Contributor permission on the Logic Apps?
Hi,

I do have two of them linked to incidents, the rest are not. The account I'm using has owner level permissions.
Could you provide an overview of your Logic App? A screenshot of the top part?
The trigger should be When Azure Sentinel incident creation rule was triggered

Sure the attached is from the github playbook that we use to run an IP check against anonymous  IP Alerts @Thijs Lecomte 

best response confirmed by superjay (Occasional Contributor)
Solution
What is the first step? I think you are using a Playbook which should be triggered by an alert, instead of an incidents.

Incident based Playbooks needs to be configured through automation rules
Alert based Playbooks through the Analytics Rule configuration (in the automation tab)
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#respond-to-alerts
Yep that's solved it, made a test rule and change the triggering to Azure Sentinel Incident (Preview) thanks so much :)