In this article, we will discuss how to create playbook in Azure Sentinel but before that, we will learn about azure sentinel playbooks. Along with that, we will also learn a few other topics mentioned below.
Table of Contents
Azure Sentinel Playbooks
Azure Sentinel Playbooks are a set of actions that you can run from your Microsoft Sentinel in a specified timeline.
You can either run it manually or you can set it like once any automation rule triggers any alerts or incidents, it will run automatically.
How to create playbook in Azure Sentinel
Follow the below steps to create a playbook in Azure Sentinel.
- Navigate to the Microsoft Sentinel page.
- Click on the Automation link from the left side. –> Click on + Create dropdown –> Select the Playbook with incident trigger option.
3. On the Create Logic App page –> click on the Basics tab, and provide the below details
- Subscription: Select a valid Azure subscription.
- Resource Group: Select an existing resource group or you can click on the Create new link to create a new Resource Group that you want to use here.
- Region: Select the region or location.
- Playbook name: Enter a unique name for your Playbook.
If you want you can enable the “Enable diagnostics logs in Log Analytics” by selecting the checkbox.
After providing all the details on the Basics tab, click on the Next: Connections button. Keep all the value as it is in the connection tab and click on the Next: Review and create button.
4. Click on the Create and continue to designer button on the next window.
On the designer page, you will see the Microsoft Sentinel incident trigger is already added by default.
5. Click on the + New step. Search for “send an email” –> choose Send an email (V2).
6. Click on the Sign-in button to sign in.
7. Here on the Send an email (V2) step. Enter the email address for the To option, Enter the Subject and body.
8. Click on the Save button to save the template.
Now that you have created your Microsoft Sentinel playbook with incident trigger successfully, As a next step, you need to set a condition when the playbook will run which you can do by creating an automation rule.
Read: Azure Sentinel vs Security Center
Creating an automation rule in Microsoft sentinel
In order to create an automation rule in Microsoft sentinel in Azure Portal, follow the below steps.
- On the Microsoft Sentinel page –> click on the Automation option from the left navigation and then click on the + Create dropdown and select the Automation rule option.
2. On the Create new automation rule window, Provide the below details
- Automation rule name: Provide a unique name for the automation rule.
- Trigger: Select the trigger option based on your requirement.
- Conditions: select the conditions and you can also click on the + Add condition button to add more conditions.
- Actions: Select the Run playbook option.
- Then on the next dropdown choose the Playbook name that we have created above.
But for me I am not able to select the Playbook, the playbook option is grayed out in the dropdown list, and the error it is showing is “No Microsoft sentinel Permissions” and it is disabled for me. This issue is because we need to give Permission to the Resource Group that the playbook belongs then only we can able to select the playbook here.
- To configure the permission, On the Microsoft Sentinel page, click on the Settings option under the Configurations section from the left navigation.
- Now, click on the Settings tab from the top –> Expand the Playbook permissions option –> click on the Configure permissions button.
- On the Manage permissions window, select the Resource Group that your playbook belongs to, and then click on the Apply button.
Note: Better first, you give permision to the Resource Group that your playbook belongs to and then perform step-1 and step-2.
Now again follow step-1 and step-2 to create the new automation rule. You can able to see below, that I am able to select the playbook and it’s enabled for me that we have created above. –> Click on the Apply button and you are done.
You may also like following the below articles
- How to Upload and Download File From Azure Blob Storage Using C# and PowerShell
- How to create Azure dashboards (Step-by-step guide)
- What is Azure logic apps
- How to create and deploy Azure Webjobs
- How to add bulk guest users in Azure AD B2B from Azure Portal and PowerShell
In this article, we discussed Azure Sentinel Playbooks, and how to create playbook in Azure Sentinel, and along with that, we discussed how to create an automation rule in Microsoft sentinel. Thanks for reading this article !!!