Azure Sentinel Playbook Examples

How to create playbook in Azure Sentinel

In this article, we will discuss how to create playbook in Azure Sentinel, but before that, we will learn about Azure Sentinel playbooks. Along with that, we will also learn a few other topics mentioned below.

Azure Sentinel Playbooks

Azure Sentinel Playbooks are a set of actions that you can run from your Microsoft Sentinel in a specified timeline.

You can either run it manually or set it like once any automation rule triggers any alerts or incidents. It will run automatically.

Azure Sentinel Playbook Examples

Follow the below steps to create a playbook in Azure Sentinel.

  1. Navigate to the Microsoft Sentinel page.
  2. Click on the Automation link from the left side. –> Click on + Create dropdown –> Select the Playbook with incident trigger option.
Create a playbooks in Azure Sentinel

3. On the Create Logic App page –> click on the Basics tab and provide the below details

  • Subscription: Select a valid Azure subscription.
  • Resource Group: Select an existing resource group or click on the Create new link to create a new Resource Group you want to use here.
  • Region: Select the region or location.
  • Playbook name: Enter a unique name for your Playbook.

If you want, you can enable the “Enable diagnostics logs in Log Analytics” by selecting the checkbox.

After providing all the details on the Basics tab, click the Next: Connections button. Keep all the values in the connection tab and click on the Next: Review and Create button.

Create playbook in Azure Sentinel
How to Create a simple Azure Sentinel playbook

4. Click the Create and continue to Designer button in the next window.

On the designer page, you will see the Microsoft Sentinel incident trigger is already added by default.

sentinel playbook templates

5. Click on the + New step. Search for “send an email” –> choose Send an email (V2).

How do you make a playbook in Microsoft Sentinel

6. Click on the Sign-in button to sign in.

How do you make a playbook template

7. Here is the Send an email (V2) step. Enter the email address for the To option. Enter the Subject and body.

sentinel playbooks

8. Click on the Save button to save the template.

Now that you have created your Microsoft Sentinel playbook with incident trigger successfully, As a next step, you need to set a condition when the playbook will run, which you can do by creating an automation rule.

Read: Azure Sentinel vs Security Center

Creating an automation rule in Microsoft Sentinel

In order to create an automation rule in Microsoft sentinel in Azure Portal, follow the below steps.

  1. On the Microsoft Sentinel page –> click on the Automation option from the left navigation and then click on the + Create dropdown and select the Automation rule option.
Creating an automation rule in Microsoft sentinel

2. On the Create new automation rule window, Provide the below details

  • Automation rule name: Provide a unique name for the automation rule.
  • Trigger: Select the trigger option based on your requirements.
  • Conditions: select the conditions, and you can also click on the + Add condition button to add more conditions.
  • Actions: Select the Run Playbook option.
  • Then on the next dropdown, choose the Playbook name that we have created above.
How to create a new automation rule in Azure Sentinel

But for me, I am not able to select the Playbook. The playbook option is grayed out in the dropdown list, and the error it is showing is “No Microsoft sentinel Permissions,” and it is disabled for me. This issue is because we need to give Permission to the Resource Group for the playbook so we can select the playbook here.

  • To configure the permission, click on the Settings option on the Microsoft Sentinel page under the Configurations section from the left navigation.
sentinel playbooks
  • Now, click on the Settings tab from the top –> Expand the Playbook permissions option –> click on the Configure permissions button.
No Microsoft sentinel Permissions
  • On the Manage permissions window, select the Resource Group your playbook belongs to, then click the Apply button.
How to give Sentinel permissions to run playbooks

Note: Better first, you give permision to the Resource Group that your playbook belongs to and then perform step-1 and step-2.

Now again, follow step-1 and step-2 to create the new automation rule. You can see below that I am able to select the playbook, and it’s enabled for me that we have created above. –> Click on the Apply button, and you are done.

azure sentinel playbooks

Wrapping Up

In this article, we discussed Azure Sentinel Playbooks and how to create a playbook in Azure Sentinel, and along with that, we discussed how to create an automation rule in Microsoft Sentinel. Thanks for reading this article !!!