In this article, we will discuss how to create playbook in Azure Sentinel, but before that, we will learn about Azure Sentinel playbooks. Along with that, we will also learn a few other topics mentioned below.
Table of Contents
Azure Sentinel Playbooks
Azure Sentinel Playbooks are a set of actions that you can run from your Microsoft Sentinel in a specified timeline.
You can either run it manually or set it like once any automation rule triggers any alerts or incidents. It will run automatically.
Azure Sentinel Playbook Examples
Follow the below steps to create a playbook in Azure Sentinel.
- Navigate to the Microsoft Sentinel page.
- Click on the Automation link from the left side. –> Click on + Create dropdown –> Select the Playbook with incident trigger option.
3. On the Create Logic App page –> click on the Basics tab and provide the below details
- Subscription: Select a valid Azure subscription.
- Resource Group: Select an existing resource group or click on the Create new link to create a new Resource Group you want to use here.
- Region: Select the region or location.
- Playbook name: Enter a unique name for your Playbook.
If you want, you can enable the “Enable diagnostics logs in Log Analytics” by selecting the checkbox.
After providing all the details on the Basics tab, click the Next: Connections button. Keep all the values in the connection tab and click on the Next: Review and Create button.
4. Click the Create and continue to Designer button in the next window.
On the designer page, you will see the Microsoft Sentinel incident trigger is already added by default.
5. Click on the + New step. Search for “send an email” –> choose Send an email (V2).
6. Click on the Sign-in button to sign in.
7. Here is the Send an email (V2) step. Enter the email address for the To option. Enter the Subject and body.
8. Click on the Save button to save the template.
Now that you have created your Microsoft Sentinel playbook with incident trigger successfully, As a next step, you need to set a condition when the playbook will run, which you can do by creating an automation rule.
Creating an automation rule in Microsoft Sentinel
In order to create an automation rule in Microsoft sentinel in Azure Portal, follow the below steps.
- On the Microsoft Sentinel page –> click on the Automation option from the left navigation and then click on the + Create dropdown and select the Automation rule option.
2. On the Create new automation rule window, Provide the below details
- Automation rule name: Provide a unique name for the automation rule.
- Trigger: Select the trigger option based on your requirements.
- Conditions: select the conditions, and you can also click on the + Add condition button to add more conditions.
- Actions: Select the Run Playbook option.
- Then on the next dropdown, choose the Playbook name that we have created above.
But for me, I am not able to select the Playbook. The playbook option is grayed out in the dropdown list, and the error it is showing is “No Microsoft sentinel Permissions,” and it is disabled for me. This issue is because we need to give Permission to the Resource Group for the playbook so we can select the playbook here.
- To configure the permission, click on the Settings option on the Microsoft Sentinel page under the Configurations section from the left navigation.
- Now, click on the Settings tab from the top –> Expand the Playbook permissions option –> click on the Configure permissions button.
- On the Manage permissions window, select the Resource Group your playbook belongs to, then click the Apply button.
Note: Better first, you give permision to the Resource Group that your playbook belongs to and then perform step-1 and step-2.
Now again, follow step-1 and step-2 to create the new automation rule. You can see below that I am able to select the playbook, and it’s enabled for me that we have created above. –> Click on the Apply button, and you are done.
In this article, we discussed Azure Sentinel Playbooks and how to create a playbook in Azure Sentinel, and along with that, we discussed how to create an automation rule in Microsoft Sentinel. Thanks for reading this article !!!
I am Rajkishore, and I have over 14 years of experience in Microsoft Azure and AWS, with good experience in Azure Functions, Storage, Virtual Machine, Logic Apps, PowerShell Commands, CLI Commands, Machine Learning, AI, Azure Cognitive Services, DevOps, etc. Not only that, I do have good real-time experience in designing and developing cloud-native data integrations on Azure or AWS, etc. I hope you will learn from these practical Azure tutorials. Read more.