Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered

%3CLINGO-SUB%20id%3D%22lingo-sub-1584006%22%20slang%3D%22en-US%22%3EPlaybook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584006%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20am%20attempting%20to%20use%20the%20trigger%20%22When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%22%26nbsp%3B%20that's%20in%20preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20the%20playbook%20is%20not%20triggered%20even%20if%20i%20know%20that%20i%20have%20a%20new%20incident%20in%20Sentinel%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat's%20missing%20from%20the%20configuration%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1584783%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584783%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756984%22%20target%3D%22_blank%22%3E%40erlendoyen%3C%2FA%3E%26nbsp%3BYou%20are%20probably%20not%20going%20to%20get%20much%20help%20here%20as%2C%20like%20you%20said%2C%20the%20feature%20is%20in%20private%20preview%20and%20we%20are%20unable%20to%20discuss%20it.%26nbsp%3B%20There%20should%20be%20some%20email%20addresses%20in%20the%20preview%20documents%20that%20you%20can%20use%20to%20ask%20for%20assistance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1584790%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584790%22%20slang%3D%22en-US%22%3EHm%2C%20I%20have%20not%20applied%20for%20a%20private%20priview%20so%20I%20assumed%20it's%20public%20preview%20now%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1584797%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584797%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756984%22%20target%3D%22_blank%22%3E%40erlendoyen%3C%2FA%3E%26nbsp%3BI%20think%20what%20is%20happening%20is%20the%20Incident%20trigger%20is%20showing%20up%20when%20creating%20Playbooks%20but%20you%20still%20need%20to%20be%20part%20of%20the%20private%20preview%20to%20use%20it.%26nbsp%3B%20I%20am%20trying%20to%20get%20verification%20of%20this%20and%20if%20I%20am%20wrong%20I%20will%20let%20you%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1584819%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584819%22%20slang%3D%22en-US%22%3EAha%2C%20ok%20where%20can%20I%20sign%20up%20for%20the%20private%20preview%3F%20Any%20idea%20on%20when%20it%20will%20be%20public%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592550%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592550%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756984%22%20target%3D%22_blank%22%3E%40erlendoyen%3C%2FA%3E%26nbsp%3B%3A%26nbsp%3B%3CSPAN%3EJoin%20our%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%20data-interception%3D%22on%22%20data-cke-saved-href%3D%22%2Fteams%2FAzureSentinelProductInfo%2FSitePages%2FAzure-Sentinel-General-FAQ.aspx%23my-customer-or-i-want-to-join-a-private-preview%22%3EPrivate%20Previews%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bprogram%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1598982%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1598982%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756984%22%20target%3D%22_blank%22%3E%40erlendoyen%3C%2FA%3E%26nbsp%3BGo%20to%20Analytics%20and%20click%20the%20alert%20rule%20that%20you%20want%20to%20get%20alerted%20on%20and%20edit%20it.%20The%20rule%20type%20has%20to%20be%20scheduled%20for%20you%20to%20be%20able%20to%20trigger%20the%20playbook.%20Go%20to%20automated%20response%20type%20and%20select%20the%20playbook%2Flogic%20app%20that%20you%20created%20and%20save%20it.%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20kind%20of%20confusing%20but%20you%20will%20have%20to%20do%20it%20for%20every%20alert%20rule%20and%20it%20doesn't%20do%20it%20for%20every%20rule%20automatically%20as%20the%20logic%20app%20suggests.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1785332%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1785332%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BIs%20this%20the%20only%20option%20to%20trigger%20a%20playbook%20against%20an%20incident%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sammyredo_0-1602787993091.png%22%20style%3D%22width%3A%20519px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F227010iC8065F3A670E5C8E%2Fimage-dimensions%2F519x116%3Fv%3D1.0%22%20width%3D%22519%22%20height%3D%22116%22%20role%3D%22button%22%20title%3D%22sammyredo_0-1602787993091.png%22%20alt%3D%22sammyredo_0-1602787993091.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20option%20which%20I%20am%20able%20to%20use%20Only%20triggers%20against%20generated%20alerts.%3C%2FP%3E%3CP%3EIs%20there%20any%20other%20option%20you%20know%20of%2C%20if%20I%20want%20to%20trigger%20a%20playbook%20with%20an%20Incident%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1793735%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1793735%22%20slang%3D%22en-US%22%3EAs%20mentined%2C%20the%20second%20one%2C%20which%20is%20what%20you%20need%2C%20is%20in%20private%20preview.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1796187%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1796187%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756984%22%20target%3D%22_blank%22%3E%40erlendoyen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPrivate%20previews%20tend%20to%20move%20pretty%20fast%20with%20Sentinel.%20Worth%20the%20wait%20on%20the%20new%20activity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20need%20something%20sooner%20you%20can%20schedule%20a%20query%20against%20the%20incidents%20table%20using%20the%20%22Run%20query%20and%20list%20results%22%20activity.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazurecloudai.blog%2F2020%2F09%2F23%2Fsentinel-email-notification-logic-app%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazurecloudai.blog%2F2020%2F09%2F23%2Fsentinel-email-notification-logic-app%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1796222%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1796222%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20will%20have%20to%20follow%20the%20below%20steps%20until%20the%20Public%20Preview%20Mode%20is%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3E%3CSTRONG%3EPortal%3A%3C%2FSTRONG%3E%26nbsp%3BEnsure%20when%20working%20on%20the%20Portal%2C%20the%20flag%26nbsp%3B%3CSTRONG%3E%E2%80%9C%3FFeature.IncidentTriggering%3Dtrue%3C%2FSTRONG%3E%E2%80%9D%20is%20in%20the%20URL%2FAddress%20Bar.%3C%2FLI%3E%3C%2FOL%3E%3CP%20data-unlink%3D%22true%22%3Eo%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BAlso%20accessible%20from%20this%20link%20%E2%80%93%26nbsp%3Bwww.aka.ms%2Fincidenttrigger%26nbsp%3B%26nbsp%3Bor%26nbsp%3Bhttps%3A%2F%2Fms.portal.azure.com%2F%3FFeature.IncidentTriggering%3Dtrue%23home%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3E%3CSTRONG%3ELogic%20App%3A%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3Eo%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BSwitch%20to%20trigger%3A%26nbsp%3B%3CU%3EWhen%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FU%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BThis%20trigger%20is%20in%26nbsp%3B%3CSTRONG%3EPrivate%20Preview%20mode%3C%2FSTRONG%3E%2C%20and%20to%20access%2C%20you%20need%20to%20join%20the%20Private%20Preview%20Program%20using%20this%20link%3A%26nbsp%3Bhttps%3A%2F%2Faka.ms%2FSecurityPrP%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eo%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BSelect%20the%26nbsp%3B%3CSTRONG%3EincidentURL%3C%2FSTRONG%3E%26nbsp%3Bfrom%20Dynamic%20Content.%20This%20returns%20nested%20JSON%20data%20-%20IncidentEventNotification%20%26gt%3B%20FullIncident%20%26gt%3B%20FullIncidentProperties%20%26gt%3B%26nbsp%3BincidentUrl%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BFeel%20free%20to%20refer%20to%20this%20document%20for%20more%20information%3A%26nbsp%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fazuresentinel%2F%23fullincidentproperties%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3E%3CSTRONG%3EAzure%20Sentinel%3A%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3Eo%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BCreate%20or%20edit%20a%20%E2%80%9CSchedule%20query%20rule%E2%80%9D%20or%20a%20%E2%80%9CMicrosoft%20incident%20creation%20rule%E2%80%9D%20on%20the%20Analytics%20page.%3C%2FP%3E%3CP%3Eo%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3Bon%20the%20%E2%80%9CAutomated%20response%E2%80%9D%20tab%2C%20check%20a%20playbook%20with%20%E2%80%9CAzure%20Sentinel%20Incident%E2%80%9D%20trigger.%3C%2FP%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%26nbsp%3BManual%20triggering%20of%20the%20playbook%20from%20Azure%20Sentinel%20is%20not%20yet%20supported%20in%20the%26nbsp%3B%3CSTRONG%3EPrivate%20Preview%20Mode%3C%2FSTRONG%3E%2C%20but%20it%20will%20be%20supported%20in%26nbsp%3B%3CSTRONG%3EPublic%20Preview%20Mode%26nbsp%3B%3C%2FSTRONG%3Elater%20in%20October%20(ETA).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1805437%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1805437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F756984%22%20target%3D%22_blank%22%3E%40erlendoyen%3C%2FA%3E%26nbsp%3BIf%20you%20have%20a%20Microsoft%20NDA%2C%20you%20can%20sign%20up%20for%20our%20preview%20program%20at%20%3CA%20href%3D%22http%3A%2F%2Fwww.aka.ms%2FSecurityPrP%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ewww.aka.ms%2FSecurityPrP%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1823614%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1823614%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%20know%20when%20this%20will%20be%20publicly%20available%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2048504%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2048504%22%20slang%3D%22en-US%22%3EWhen%20can%20we%20expect%20this%20working.%20Even%20the%20private%20previews%20doesn't%20work.%20Microsoft%20failed%20in%20delivering%20this%20again%20%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2048506%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2048506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3B%20%3A%20I%20am%20not%20aware%20that%20the%20private%20preview%20does%20not%20work.%20That%20said%2C%20the%20feature%20will%20be%20supported%20as%20part%20of%20a%20larger%20motion%20to%20enhance%20Sentinel%20automation%2C%20called%20automatoin%20rules%2C%20which%20is%20entering%20private%20preview%20as%20we%20speak.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2049585%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2049585%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B-%20Playbook%20is%20not%20listed%20at%20the%20automated%20response%20section%20of%20the%20analytics%20rule%20(when%20in%20edit).%26nbsp%3B%20Tenant%20is%20registered%20for%20private%20preview%20but%20sadly%20none%20of%20the%20playbook%20using%20new%20trigger%20displays%20in%20the%20automated%20response%20list.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2204226%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2204226%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20GA%20date%20for%20this%20feature%20in%20logic%20apps%3F%20Is%20there%20anybody%20who%20is%20aware%20of%20this%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2204511%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2204511%22%20slang%3D%22en-US%22%3EIt%20was%20announced%20at%20Ignite%20it%20would%20turn%20public%20preview%20soon%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmicrosoft-ignite-2021-what-s-new-in-azure-sentinel%2Fba-p%2F2175225%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmicrosoft-ignite-2021-what-s-new-in-azure-sentinel%2Fba-p%2F2175225%3C%2FA%3E%3CBR%20%2F%3ENo%20news%20has%20been%20out%20when%20it%20will%20become%20available%20in%20our%20subscriptions%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2218496%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2218496%22%20slang%3D%22en-US%22%3EStarted%20rolling%20out%20gradually%20to%20public%20preview%20today.%20Should%20be%20100%25%20rolled%20out%20in%20two%20weeks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2232280%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232280%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20great%20feature%20is%20on%20GA%2C%20now%20!!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20!!%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2840224%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2840224%22%20slang%3D%22en-US%22%3EHi%20everyone%2C%3CBR%20%2F%3EDo%20these%20logic%20apps%2Fplaybooks%20still%20need%20to%20be%20attached%20to%20every%20single%20analytics%20rule%3F%3CBR%20%2F%3EI'd%20like%20to%20create%20a%20'global'%20playbook%20to%20add%20contextual%20information%20to%20every%20incident.%3CBR%20%2F%3Eeg.%20apply%20MITRE%20SHIELD%20information%20to%20every%20incident's%20comment%20section.%3CBR%20%2F%3EI'm%20not%20eager%20to%20go%20to%20all%20300%20analytic%20rules%20and%20assign%20a%20playbook.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2841537%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2841537%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3BIf%20you%20are%20using%20the%20Incident%20trigger%20in%20a%20playbook%2C%20you%20can%20use%20the%20Automation%20rules%20feature%20of%20Azure%20Sentinel%20to%20have%20that%20playbook%20automatically%20run%20for%20any%20incident%20that%20gets%20created.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fautomate-incident-handling-with-automation-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fautomate-incident-handling-with-automation-rules%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2841762%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2841762%22%20slang%3D%22en-US%22%3EThanks%20Gary%2C%20but%20I'm%20not%20sure%20you're%20saying%20a%20'global'%20playbook%20is%20possible%3F%3CBR%20%2F%3EYou're%20saying%20I%20still%20have%20to%20assign%20my%20playbook%20to%20each%20individual%20analytic%20rules%20automation%20but%20it%20will%20be%20auto%20triggered%20if%20an%20incident%20is%20fired%20for%20that%20rule.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2841768%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2841768%22%20slang%3D%22en-US%22%3EThanks%20Gary%2C%20but%20I'm%20not%20sure%20you're%20saying%20a%20'global'%20playbook%20is%20possible%3F%3CBR%20%2F%3EYou're%20saying%20I%20still%20have%20to%20assign%20my%20playbook%20to%20each%20individual%20analytic%20rules%20automation%20but%20it%20will%20be%20auto%20triggered%20if%20an%20incident%20is%20fired%20for%20that%20rule.%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20ore%20you%20saying%20there's%20some%20global%20feature%20with%20this%20I%20don't%20understand%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2841879%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2841879%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3BThe%20Sentinel%20logic%20app%20triggers%20for%20incidents%20and%20alerts%20do%20not%20monitor%20Sentinel%20for%20new%20alerts%20(though%20that%20is%20understandable%20assumption).%20Rather%20those%20triggers%20configure%20the%20Logic%20App%20to%20be%20triggered%20or%20called%20by%20Sentinel.%20The%20logic%20app%20is%20waiting%20to%20be%20called.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlert-based%20triggers%20are%20linked%20to%20specific%20scheduled%20analytic%20rules%20and%20can%20be%20run%20manually%20from%20an%20incident%20(scroll%20to%20the%20far%20right%20on%20the%20alerts%20list%20inside%20an%20incident).%20This%20option%20is%20limited%20to%20alerts%20generated%20by%20the%20scheduled%20rule-type.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIncident-based%20triggers%20are%20called%20by%20the%20new%20Automation%20rules.%20These%20can%20be%20setup%20to%20response%20to%20any%20rule-type%20(any%20specific%20rule%20or%20all%20rules).%20For%20a%20global%20trigger%2C%20create%20a%20logic%20app%20with%20an%20incident%20trigger%20and%20create%20an%20automation%20rule%20to%20call%20the%20Playbook%20for%20all%20rules.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2842043%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2842043%22%20slang%3D%22en-US%22%3EAndrew%2C%20thanks%2C%20this%20is%20getting%20me%20closer%20to%20my%20answer!%3CBR%20%2F%3ESo%20my%20new%20question%20is%3A%20how%20to%20create%20an%20automation%20rule%20to%20trigger%20on%20all%20incidents.%3CBR%20%2F%3Eeg.%20is%20this%20a%20Sentinel%20rule%20that%20queries%20for%20all%20incidents%3F%20And%20then%20I'd%20have%20to%20extract%20the%20incident%20ID%20in%20my%20playbook%3F%3CBR%20%2F%3EIs%20there%20an%20example%20of%20this%20somewhere%3F%3CBR%20%2F%3EIt%20seems%20to%20me%20it's%20a%201%20or%202%20step%20process%20but%20I%20don't%20quite%20get%20it%20yet.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2842256%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2842256%22%20slang%3D%22en-US%22%3EI%20would%20start%20by%20creating%20a%20logic%20app%20with%20just%20a%20Sentinel%20incident%20trigger.%20Save%20the%20app%20so%20it%20can%20be%20linked%20in%20Sentinel.%20In%20the%20Automation%20blade%20create%20an%20Automation%20rule.%20This%20will%20default%20to%20%22Rule%20name%20contains%20all%22.%20Add%20a%20Playbook%20action%20calling%20your%20new%20logic%20app.%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20are%20some%20additional%20steps%20to%20grant%20Sentinel%20access%20to%20trigger%20logic%20apps.%20This%20adds%20the%20Sentinel%20Automation%20role%20to%20the%20resource%20group%20of%20your%20workspace.%20Look%20in%20settings%20for%20setup%20UI%20and%20instructions.%3CBR%20%2F%3E%3CBR%20%2F%3ENow%20your%20logic%20app%20will%20start%20being%20triggered%20by%20every%20new%20incident.%20Now%20you%20have%20a%20good%20mechanism%20to%20start%20adding%20activities%20and%20testing%20the%20logic%20app.%20Using%20%22run%20trigger%22%20doesn't%20work%20with%20triggers%20that%20require%20input.%20%3CBR%20%2F%3E%3CBR%20%2F%3EBeyond%20that%20I%20recommend%20importing%20some%20sample%20Logic%20Apps%20from%20the%20Sentinel%20repo%20for%20comparison.%20That%20initial%20trigger%20may%20not%20bring%20in%20all%20of%20the%20data%20you%20want%2Fneed.%20You%20can%20run%20secondary%20activities%20from%20the%20Sentinel%20connector.%20It%20is%20not%20uncommon%20to%20see%20a%20Sentinel%20trigger%20followed%20by%20a%20Sentinel%20activity%3B%20like%20Get%20an%20entity%2C%20or%20Get%20Incident.%20Sometimes%20those%20activities%20pull%20additional%20information%20or%20present%20it%20in%20a%20more%20useful%20way.%20There%20is%20also%20a%20Azure%20Monitor%20connector%20that%20can%20read%20data%20from%20the%20workspace%20directly.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2842519%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2842519%22%20slang%3D%22en-US%22%3ETHANK%20YOU%20ANDREW%20(and%20everyone)!!!%20I%20think%20I%20get%20it%20now.%20Great%20explanation.%3CBR%20%2F%3E%3CBR%20%2F%3EFunny%20thing%20is%20I'm%20quite%20fluent%20with%20many%20of%20the%20Github%20playbooks%20but%20I've%20never%20used%20this%20automation%20feature%20from%20within%20the%20playboks%20-%20I've%20successfully%20imported%2Ffixed%20over%2030%20of%20them%20in%20my%20Azure%20lab.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20have%20any%20recommended%20training%20with%20playbooks%20specific%20to%20Sentinel%20I'd%20be%20interested.%3CBR%20%2F%3EClearly%20my%20self-learning%20on%20this%20topic%20contains%20some%20gaps.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2842703%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2842703%22%20slang%3D%22en-US%22%3EI%20haven't%20seen%20any%20specific%20training%20on%20Logic%20Apps%20for%20Sentinel.%20As%20you%20have%20seen%2C%20every%20connector%2Factivity%20has%20its%20quirks.%20The%20Automation%20Rules%20are%20new%20and%20most%20of%20the%20GitHub%20examples%20are%20using%20the%20alerts%20trigger.%20Logic%20Apps%20are%20all%20about%20trial%20and%20error.%3CBR%20%2F%3E%3CBR%20%2F%3ECheck%20out%20the%20run%20after%20feature%20if%20this%20is%20new...super%20cool.%3CBR%20%2F%3E%3CBR%20%2F%3ERun%20After%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Flogic-apps-exception-handling%23customize-run-after-behavior%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Flogic-apps-exception-handling%23customize-run-after-behavior%3C%2FA%3E%3CBR%20%2F%3ELogic%20Apps%20Learning%20Path%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Flearn%2Fpaths%2Fbuild-workflows-with-logic-apps%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Flearn%2Fpaths%2Fbuild-workflows-with-logic-apps%2F%3C%2FA%3E%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2842995%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2842995%22%20slang%3D%22en-US%22%3EInteresting%20I%20didn't%20know%20run%20after%20was%20new.%3CBR%20%2F%3EI%20saw%20that%20in%20the%20json%20for%20all%20the%20rules%20but%20the%20GUI%20exposure%20maybe%20is%20the%20new%20piece%3F%3CBR%20%2F%3E%3CBR%20%2F%3EOne%20thing%20I'd%20like%20to%20have%20as%20a%20feature%20is%20an%20END%20operator%2C%20or%20a%20'fail%20silently'.%3CBR%20%2F%3EFor%20example%20I%20don't%20like%20to%20see%20a%20'failed'%20result%20if%20one%20parallel%20branch%20of%20my%20logic%20app%20fails%20and%20the%20other%203%20branches%20succeed.%3CBR%20%2F%3EI%20could%20use%20an%20if%2Fthen%20condition%20but%20I%20was%20hoping%20there%20was%20a%20way%20to%20end%20silently%20w%2Fo%20failing.%3CBR%20%2F%3E%3CBR%20%2F%3E(that%20learning%20path%20is%20super%20basic%2C%20but%20thanks%20for%20sharing)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2844435%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2844435%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20anyone%20needs%20the%20exact%20steps%20I%20took%20to%20convert%20my%20playbook%20from%20a%20user-triggered%20(alert%20based)%20playbook%20to%20a%20'global%20automation'%20(incident%20based)%20playbook%20here%20they%20are%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(warning%2C%20there%20is%20a%20cost%20to%20using%20automation%20rules%2C%20so%20if%20you%20trigger%20a%20lot%20of%20incidents%20you%20might%20want%20to%20keep%20tabs%20on%20the%20charges)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHow%20to%20convert%20an%20'Alert'%20triggering%20playbook%20to%20an%20'Incident'%20triggering%20playbook%20with%20a%20'global%20automation%20rule'%20that%20will%20trigger%20for%20all%20of%20your%20incidents.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E1.%20Clone%20your%20old%20'Alert%20triggering'%20playbook%3CBR%20%2F%3E2.%20Replace%20the%20first%20logic%20app%20operator%20(the%20'Sentinel%20alert'%20operator)%20with%20the%20'Sentinel%20Incident'%20operator.%3C%2FP%3E%3CP%3E3.%20Create%20an%20automation%20rule%20as%20shown%20in%20the%20screenshot%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOptional%3A%20If%20you're%20using%20a%20parser%20operation%20to%20extract%20a%20field%20like%20'entity'%2C%20then%26nbsp%3Byour%20json%20parser%20will%20need%20to%20be%20updated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOptional%3A%20update%20incident%20arm%20id%20in%20any%20of%20your%20remaining%20Sentinel%20logic%20operators.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22bobsyouruncle_0-1634180232897.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317253i08884239A0C71D36%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22bobsyouruncle_0-1634180232897.png%22%20alt%3D%22bobsyouruncle_0-1634180232897.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVisual%20description%20of%20the%20steps%20above%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22bobsyouruncle_1-1634180669941.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317254iD5B2EF49A40FADBD%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22bobsyouruncle_1-1634180669941.png%22%20alt%3D%22bobsyouruncle_1-1634180669941.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2845753%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2845753%22%20slang%3D%22en-US%22%3EDon't%20forget%20to%20check%20the%20rest%20of%20your%20Logic%20App%20to%20make%20sure%20you%20were%20not%20using%20dynamic%20data%20from%20either%20the%20trigger%20or%20action%20you%20deleted.%20Not%20saying%20why%20I%20know%20to%20do%20this%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2846943%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20(Logic%20App)%20-%20trigger%20-%20When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2846943%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Gary%2C%20I've%20added%20a%20step%20%234%3A%20review%20ALL%20variables.%3C%2FP%3E%3CP%3EI%20know%20exactly%20what%20you're%20referring%20to!%3C%2FP%3E%3CP%3EIn%20general%20when%20you%20replace%20any%20logic%20app%20containing%20variables%20it's%20good%20to%20review%20all%20'downstream'%20logic%20to%20ensure%20it's%20not%20affected%20by%20the%20change.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi

 

i am attempting to use the trigger "When Azure Sentinel incident creation rule was triggered"  that's in preview.

 

but the playbook is not triggered even if i know that i have a new incident in Sentinel 

 

what's missing from the configuration? 

30 Replies

@erlendoyen You are probably not going to get much help here as, like you said, the feature is in private preview and we are unable to discuss it.  There should be some email addresses in the preview documents that you can use to ask for assistance.

 

Hm, I have not applied for a private priview so I assumed it's public preview now?

@erlendoyen I think what is happening is the Incident trigger is showing up when creating Playbooks but you still need to be part of the private preview to use it.  I am trying to get verification of this and if I am wrong I will let you know.

Aha, ok where can I sign up for the private preview? Any idea on when it will be public?

@erlendoyen Go to Analytics and click the alert rule that you want to get alerted on and edit it. The rule type has to be scheduled for you to be able to trigger the playbook. Go to automated response type and select the playbook/logic app that you created and save it. 

It's kind of confusing but you will have to do it for every alert rule and it doesn't do it for every rule automatically as the logic app suggests.

@Ofer_Shezaf Is this the only option to trigger a playbook against an incident? 

sammyredo_0-1602787993091.png

 

The first option which I am able to use Only triggers against generated alerts.

Is there any other option you know of, if I want to trigger a playbook with an Incident?

As mentined, the second one, which is what you need, is in private preview.

@erlendoyen 

 

Private previews tend to move pretty fast with Sentinel. Worth the wait on the new activity.

 

If you need something sooner you can schedule a query against the incidents table using the "Run query and list results" activity.  https://azurecloudai.blog/2020/09/23/sentinel-email-notification-logic-app/ 

@erlendoyen If you have a Microsoft NDA, you can sign up for our preview program at www.aka.ms/SecurityPrP 

Anyone know when this will be publicly available?

When can we expect this working. Even the private previews doesn't work. Microsoft failed in delivering this again ?

@PrashTechTalk  : I am not aware that the private preview does not work. That said, the feature will be supported as part of a larger motion to enhance Sentinel automation, called automatoin rules, which is entering private preview as we speak.

@Ofer_Shezaf - Playbook is not listed at the automated response section of the analytics rule (when in edit).  Tenant is registered for private preview but sadly none of the playbook using new trigger displays in the automated response list. 

What is the GA date for this feature in logic apps? Is there anybody who is aware of this?

 

It was announced at Ignite it would turn public preview soon
https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-ignite-2021-what-s-new-in-azure-sent...
No news has been out when it will become available in our subscriptions
Started rolling out gradually to public preview today. Should be 100% rolled out in two weeks.

This great feature is on GA, now !!!

 

Thank you !!

Regards

Hi everyone,
Do these logic apps/playbooks still need to be attached to every single analytics rule?
I'd like to create a 'global' playbook to add contextual information to every incident.
eg. apply MITRE SHIELD information to every incident's comment section.
I'm not eager to go to all 300 analytic rules and assign a playbook.