Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Unable to add playbook to automated incident response for Azure Sentinel

Copper Contributor

I created a playbook using an Azure Sentinel Incident creation trigger, which shows up as in preview.

 

I can test everything from the playbook itself: it's able to generate an email and/or slack message depending on the situation.

 

However, when going to azure sentinel incident rule settings, no playbook show up as available.

 

I can confirm that if I list all configured playbooks, that one shows an Azure Sentinel Incident (preview) trigger kind. 

7 Replies

@mjamati Is the Analytics rule with which you are trying to add the Playbook a custom rule created by you or default one/Fusion Rule built by Microsoft?

For Fusion/Default rule created by Microsoft, you won't be able to attach a Playbook. The feature is currently not in Public Preview.

This is a private preview and can only be accessed through the private preview program.
If you have an active NDA with Microsoft, you could enroll into the program => https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFS...
Can we attach the playbook to the fusion rule? As you are saying it is in public preview, where is the option to do it? Can you help me with this process, please?

@mjamati  Bumping this .

 

I am also unable to add playbooks to a Fusion Rule. I am able to see some playbooks within the "run playbook - action" but not all including the one I wish to use. I also can't see any difference in the playbooks I can and can't see. They are in the same resource group ect.

@Hcrossley I am able to see the "Advanced Multistage Attack Detection" fusion rule when I am look at the listing of all the rules.  (ignore the blank entries in the list, that is another issue)

 

GaryBushey_0-1633002681243.png

 

@Gary Bushey So my issue is when you select "run a playbook" It then only shows certain logic apps that can be run and not others. But I am unsure why it doesn't show them.

My guess would be that the ones you see use the Azure Sentinel Incident trigger and the others do not. Only those playbooks that use the Azure Sentinel Incident trigger can be used with Automation so those are the only ones that will be shown in the listing