Forum Discussion
Playbooks appear in playbooks list, but not available for automated response (bis)
And: Unable to add playbook to automated incident response for Azure Sentinel (Not relevant)
Assoc. Doc. https://docs.microsoft.com/fr-fr/azure/sentinel/tutorial-respond-threats-playbook )
Hi Microsoft,
I created a Logic App with handler "when incident creation in Sentinel rule was Triggered"*.
I got Read rights on the RG and Logic Apps operator & Contributor + Sentinel contributor.
I can see my LogicApp in the playbook thumb (enabled, with good trigger descirption), yet I can't see it when creating automation from "Automation" thumb. (Rule : "If analytics name contains : All")
Is it a bug? Did I miss something?
EDIT 07-20: added with Subscription owner rights the RG access to Sentinel Automation, giving "Azure Sentinel Automation Contributor"rights to “Azure Security Insights” on the resource group. Source. No effect.
* I18n approximative from French.
- I found it! it was a bug!
When a logic App is created with the wrong trigger at first (alert instead of incident), it's not seen by Automation rule plaubook menu (normal).
But even when afterwards trigger is changed to "Incident rule was created", playbook type is still not updated, so Automation rule can't see it.
had to delete my Logic App and recreate it to make it work.
Hi Rod_Trent,
Thank you for your answer. That one was rather tricky, interface is not clear for automation for this subject.
I successfully applied right permission to my user (I got Sub owner account in parallel) AND followed your tutorial (from : https://docs.microsoft.com/fr-fr/azure/sentinel/tutorial-respond-threats-playbook). All rights are OK in RG IAM, I can see "Security Insights" having Automation rights (please note that my Logic App is in the same RG as Sentinel).
Not my user, nor even Owner can see playbook anyway in the "New automation rule" menu.- I found it! it was a bug!
When a logic App is created with the wrong trigger at first (alert instead of incident), it's not seen by Automation rule plaubook menu (normal).
But even when afterwards trigger is changed to "Incident rule was created", playbook type is still not updated, so Automation rule can't see it.
had to delete my Logic App and recreate it to make it work.
