Playbook as automated response for all Analytics rules | Azure Sentinel

Antti Kosonen 1

I have created a playbook that will trigger certain alerts, and I want to set this as an automated response for all rules. I can manually set this playbook as an automated response for any Analytics rule, but how can I set it for all rules, including new rules in the future? Enabling it manually for each rule is tiresome, and prone to mistakes.

1 answer

Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee

2021-01-15T22:29:43.017+00:00

Hi @Antti Kosonen ,

Are you looking for a way to get alerts whenever there is an incident in Azure Sentinel?

If so, you can create a logic app and use "When a response to an Azure Sentinel alert is triggered" with the "Send an email" trigger as described in this blog post.

Let me know if this is what you are looking for or if I am misunderstanding the goal.
Please sign in to rate this answer.
Antti Kosonen 1 Reputation point

2021-01-17T19:21:13.887+00:00

Hi, Marilee,

Sorry, but you are misunderstanding what I'm after. Yes, I have created a logic app like that, with "When a response to an Azure Sentinel alert is triggered" as the start point. However, that does not mean, that it will run whenever any alert is triggered - for that it needs to be set as an "Automated response" for the Analytics rule.

For example, I'm just now looking at a Sentinel Incident report from this afternoon, an I my playbook is there when I click "View playbooks" like in Step 12 of your link. However, the playbook was not run when the incident happened. The reason is that I had not set the playbook as an "Automated response" for this specific type of incident. Had I done that, it would have been run.

My problem is that I would have to do this manual setting for every type of incident separately (as I want the alert to trigger for all incidents), and I'm looking for a better way.
Sign in to comment

Share via

Playbook as automated response for all Analytics rules | Azure Sentinel

1 answer