Fire LogicApp when log appears in Sentinel?

Question

I have a number of logic apps which run on a schedule to send an email relating to AD actions that are triggered, for example account lock / unlock, account disable / re-enable and password change. These are set to run on a schedule using a recurrance pane, which links into the query and then onto a send email pane.

Is there any way I can trigger the app if this event goes into Sentinel, so in effect an "immediate" trigger? If not via logicapp, is there a way to do this in Sentinel?

Answer 1

@Scott, Mark Thanks for reaching out. Have you already seen the Automation Rules under Automation option for sentinel where you can trigger a playbook.

Automation rules are triggered by the creation of incidents. You can set conditions to govern when actions will run, based on the incident and entity details and on analytics rules. You can also set the order of actions and the rule’s expiration time.

Read how they work : https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
Here is a nice tutorial about it : https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

Let us know if this helps.

-----------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Thanks for your response, apologies I have only recently started with Azure Sentinel. I will have a look around your links. interrestingly, in my environment I can see the LogicApps appearing under playbooks: