Sentinel alerts stopped running playbooks

Brass Contributor

I have at least four instances of Sentinel where the alerts create the incidents but don't run the associated playbooks. This seemed to have started somewhere around Dec 30th. There are no failed runs for the logic apps, and if I trigger the playbook from the incident detailed view, it works without any problem. 


I have scheduled logic apps (using the Recurrence trigger) and they work fine but those that are supposed to be triggered by an Azure Sentinel alert are not running even though there are alerts raised.


I opened a ticket with Microsoft but I didn't receive any reply so far.




14 Replies

Also having the same issue across 3 tenants. Problem started for us around 9am EST on the 31st. 


I can run them manually within the Incident details page, but triggers are failing if I run them in the Logic App page.


After some digging around in the logic app code, I looked at the raw output of the block that's failing I found that the header is not populating correctly and the body is not populating at all.

@leoszalkowski I've seen your post and the problem looks quite similar. 


The playbook would not work if one triggers the "Sentinel Alert" manually because is missing the data from the alert itself. For this reason, when used from the Incident details interface, the playbook works because it is receiving the alert details.


I don't think this is a problem with the playbooks as they are not showing with failed runs. Most likely is an issue with the Azure Sentinel Logic App trigger (that's still in Preview mode). I will create a new playbook from scratch and see if it makes any difference.

@AdiGrio You're probably right. That's probably why the raw output of the trigger block isn't populating properly. 



I got the same issue and raised a ticket on 30/12. Triggering the playbooks manually from the incidents works as a work around. Been in touch with the support just now and it seems to be a general issue thats being worked on so MS is aware and working on it.

An interesting thing, I created a dummy playbook, assigned it to the alert and it worked. I switched back to the original playbook and now the alert triggers it.

@AdiGrio That's odd. 


So you assigned the alert the new dummy playbook and reassigned the alert the old playbook?

@leoszalkowski That's correct, I assigned a new playbook, saved, reassigned the old playbook and it worked after that.  In fact you can just remove the existing playbook, save, and then reassign, no need for a "temporary"  one. The problem is that I would have to do that for every alert configured. We have hundreds of them so I would rather not go that path.

Good for you but strange for me. I tried that aswell. Twice. Also creating a new playbook from scratch And assigning but the result was the same. Maybe something have changed and I should try again. That or I’m missing something. But second time around I had me support in session so it shouldn’t be.

Anyone know if there is a place where ongoing issues are published?



Having the exact same issues, has there been any progress?


Tried the workaround you suggested but no success,




@Neil2020 It just fixed by itself after a couple of days, we didn't have to do anything.



Wow, still broken for me so raised a suport case, they have said it is being escalated so I will wait,


Thanks for responding



Have you heard anything?  I'm have the same problem.   The playbook runs manually from sentinel incidents page but doesn't trigger on new alerts.  I need it to trigger since this logic app is for notification of new incidents.    Any insight would be appreciated 



As a test, I suggest that you delete and recreate the alert to see if it makes any difference. In some situations it appears that the "sync" between the alert and the playbook (aka an "action") is lost or misconfigured so you may have a situation where an alert may look like is assigned to a playbook but in reality is not. This could also cause the opposite of not running playbooks, when the playbook is ran several times. That again we found out was due to the alert having several "actions" for the same playbook (the Sentinel "actions" are only accessible throught the API).


Adrian Grigorof

@AdiGrio, Thanks that worked!