Azure Sentinel - Playbook Options Missing

mpark714 1 Reputation point
2022-09-15T17:43:05.403+00:00

Does anyone else have this issue? I've setup a playbook for email notifications to be sent for incidents and I'm not able to see them. I've recreated the playbook again and it doesn't appear again when I try to use it. I can see the automation rules and playbooks in the automations sections though. TIA
241593-image.png

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,140 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,861 Reputation points Microsoft Employee
    2022-09-15T19:12:24.09+00:00

    This will only list playbooks with an incident-based trigger. The secondary option lets you call alert-based playbooks. Also, make sure the workspace is authorized in settings. If that is good maybe wait a bit an open a support case if persistent.

    241583-image.png

    1 person found this answer helpful.
    0 comments No comments

  2. David Broggy 5,816 Reputation points MVP
    2022-09-15T20:10:33.03+00:00

    I would like to suggest one other possibility which I frequently come across.
    If you only have the Sentinel Contributor role, you will not see any listed playbooks.
    You must add the Logic App Contributor role within the resource group IAM permissions:

    241622-image.png

    0 comments No comments

  3. mpark714 1 Reputation point
    2022-09-15T22:07:39.423+00:00

    Thanks for your replies.
    I've looked at both and its configured properly - sentinel as access to the entire resource group and i have access to the logic app contributor role + owner rights

    0 comments No comments

  4. JamesTran-MSFT 36,626 Reputation points Microsoft Employee
    2022-09-21T21:53:37.797+00:00

    @mpark714
    Thank you for your post and I apologize for the delayed response!

    When it comes to your Playbook not appearing within your automation rule, this is because your Logic App (Playbook) needs to either start with the Microsoft Sentinel incident trigger, or your Automation Rule Trigger needs to reflect that of your Playbook trigger.

    Playbook using Alert Trigger, while the Automation rule is listing playbooks for the Incident trigger:
    243633-image.png
    Only playbooks that start with the incident trigger can be run from automation rules, so only they will appear in the list.

    Playbook Trigger and Automation Rule trigger both being of kind Incident:
    243595-image.png

    To see what type of Playbook you created:
    Microsoft Sentinel -> Automation -> Active Playbooks -> Filter by Trigger kind
    243674-image.png

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


  5. JamesTran-MSFT 36,626 Reputation points Microsoft Employee
    2022-09-27T22:47:12.8+00:00

    @mpark714
    Thank you for following up on this!

    Since you have the correct Logic App Trigger - Microsoft Sentinel incident (Preview), can you make sure that the logic app is part of your Active Playbooks within Azure Sentinel?
    245315-image.png

    If the playbook (Logic App) isn't part of your Azure Sentinel Active Playbooks list, you'll have to create a new playbook in Microsoft Sentinel:

    1. From the Microsoft Sentinel navigation menu, select Automation.
    2. From the top menu, select Create.
    3. The drop-down menu that appears under Create gives you three choices for creating playbooks.
      245332-image.png

    If you have an active playbook and still aren't able to create an Incident trigger, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.