How to create playbook in Azure Sentinel

by
How to create playbook in Azure Sentinel

In this article, we will discuss how to create playbook in Azure Sentinel but before that, we will learn about azure sentinel playbooks. Along with that, we will also learn a few other topics mentioned below.

Azure Sentinel Playbooks

Azure Sentinel Playbooks are a set of actions that you can run from your Microsoft Sentinel in a specified timeline.

You can either run it manually or you can set it like once any automation rule triggers any alerts or incidents, it will run automatically.

How to create playbook in Azure Sentinel

Follow the below steps to create a playbook in Azure Sentinel.

  1. Navigate to the Microsoft Sentinel page.
  2. Click on the Automation link from the left side. –> Click on + Create dropdown –> Select the Playbook with incident trigger option.
Create a playbooks in Azure Sentinel

3. On the Create Logic App page –> click on the Basics tab, and provide the below details

  • Subscription: Select a valid Azure subscription.
  • Resource Group: Select an existing resource group or you can click on the Create new link to create a new Resource Group that you want to use here.
  • Region: Select the region or location.
  • Playbook name: Enter a unique name for your Playbook.

If you want you can enable the “Enable diagnostics logs in Log Analytics” by selecting the checkbox.

After providing all the details on the Basics tab, click on the Next: Connections button. Keep all the value as it is in the connection tab and click on the Next: Review and create button.

Create playbook in Azure Sentinel
How to Create a simple Azure Sentinel playbook

4. Click on the Create and continue to designer button on the next window.

On the designer page, you will see the Microsoft Sentinel incident trigger is already added by default.

What are playbooks in Azure Sentinel

5. Click on the + New step. Search for “send an email” –> choose Send an email (V2).

How do you make a playbook in Microsoft Sentinel

6. Click on the Sign-in button to sign in.

How do you make a playbook template

7. Here on the Send an email (V2) step. Enter the email address for the To option, Enter the Subject and body.

What is a Playbook example

8. Click on the Save button to save the template.

Now that you have created your Microsoft Sentinel playbook with incident trigger successfully, As a next step, you need to set a condition when the playbook will run which you can do by creating an automation rule.

Read: Azure Sentinel vs Security Center

Creating an automation rule in Microsoft sentinel

In order to create an automation rule in Microsoft sentinel in Azure Portal, follow the below steps.

  1. On the Microsoft Sentinel page –> click on the Automation option from the left navigation and then click on the + Create dropdown and select the Automation rule option.
Creating an automation rule in Microsoft sentinel

2. On the Create new automation rule window, Provide the below details

  • Automation rule name: Provide a unique name for the automation rule.
  • Trigger: Select the trigger option based on your requirement.
  • Conditions: select the conditions and you can also click on the + Add condition button to add more conditions.
  • Actions: Select the Run playbook option.
  • Then on the next dropdown choose the Playbook name that we have created above.
How to create a new automation rule in Azure Sentinel

But for me I am not able to select the Playbook, the playbook option is grayed out in the dropdown list, and the error it is showing is “No Microsoft sentinel Permissions” and it is disabled for me. This issue is because we need to give Permission to the Resource Group that the playbook belongs then only we can able to select the playbook here.

  • To configure the permission, On the Microsoft Sentinel page, click on the Settings option under the Configurations section from the left navigation.
How to Create an automation rule in Microsoft sentinel
  • Now, click on the Settings tab from the top –> Expand the Playbook permissions option –> click on the Configure permissions button.
No Microsoft sentinel Permissions
  • On the Manage permissions window, select the Resource Group that your playbook belongs to, and then click on the Apply button.
How to give Sentinel permissions to run playbooks

Note: Better first, you give permision to the Resource Group that your playbook belongs to and then perform step-1 and step-2.

Now again follow step-1 and step-2 to create the new automation rule. You can able to see below, that I am able to select the playbook and it’s enabled for me that we have created above. –> Click on the Apply button and you are done.

Create new automation rule Azure Sentinel

You may also like following the below articles

Wrapping Up

In this article, we discussed Azure Sentinel Playbooks, and how to create playbook in Azure Sentinel, and along with that, we discussed how to create an automation rule in Microsoft sentinel. Thanks for reading this article !!!