Sentinel Incident does not trigger Playbook

Bram vd Klinkenberg 26 Reputation points
2021-09-25T16:57:45.28+00:00

I have enabled continuous export in Azure Security Center to export the Container Vulnerability Recommendations to a Log Analytics workspace that is connected to Sentinel. That works, I can query the SecurityNestedRecommendation table.

I then created an analytics rule which has an automated response (incident automation), which is a playbook and is connected to an automation rule.

The logic app (playbook) is a simple flow that uses the "When Azure Sentinel incident creation rule was triggered" trigger and a teams "Post message in chat or channel" action.

When I build an push a new image to my ACR I see the adjustment of the recommendation (new image is added) and a bit later on in Sentinel an incident has been created, but my automated incident response playbook is not triggered and I have no clue why :-).

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,980 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,053 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Bram vd Klinkenberg 26 Reputation points
    2021-09-25T20:03:00.35+00:00

    I had to create a playbook that uses the flow " When a response to an Azure Sentinel Alert is triggered" and in the analytics rule I then used the playbook in Alert automation.

    0 comments No comments