Azure Sentinel Playbook Examples

How to create playbook in Azure Sentinel

In this article, we will discuss how to create playbook in Azure Sentinel, but before that, we will learn about Azure Sentinel playbooks. Along with that, we will also learn a few other topics mentioned below.

Sentinel Playbooks

Azure Sentinel Playbooks are a set of actions that you can run from your Microsoft Sentinel in a specified timeline.

You can run it manually or set it like once any automation rule triggers alerts or incidents. It will run automatically.

Azure Sentinel Playbook Examples

Follow the below steps to create a playbook in Azure Sentinel.

  1. Navigate to the Microsoft Sentinel page.
  2. Click on the Automation link from the left side. –> Click on + Create dropdown –> Select the Playbook with the incident trigger option.
Create a playbooks in Azure Sentinel

3. On the Create Logic App page –> click on the Basics tab and provide the below details

  • Subscription: Select a valid Azure subscription.
  • Resource Group: Select an existing resource group or click the Create new link to create a new Resource Group you want to use here.
  • Region: Select the region or location.
  • Playbook name: Enter a unique name for your Playbook.

You can enable the “Enable diagnostics logs in Log Analytics” by selecting the checkbox.

After providing all the details on the Basics tab, click the Next: Connections button. Keep all the values in the connection tab and click the Next: Review and Create button.

azure sentinel playbooks
playbook sentinel

4. Click the Create and continue to Designer button in the next window.

On the designer page, you will see the Microsoft Sentinel incident trigger is already added by default.

sentinel playbook

5. Click on the + New step. Search for “send an email” –> choose Send an email (V2).

Microsoft sentinel playbooks

6. Click on the Sign-in button to sign in.

sentinel playbook templates

7. Here is the Send an Email (V2) step. Enter the email address for the To option. Enter the Subject and body.

sentinel playbooks

8. Click on the Save button to save the template.

Now that you have created your Microsoft Sentinel playbook with incident trigger successfully, As a next step, you need to set a condition when the playbook will run, which you can do by creating an automation rule.

Creating an automation rule in Microsoft Sentinel

To create an automation rule in Microsoft sentinel in Azure Portal, follow the below steps.

  1. On the Microsoft Sentinel page –> click on the Automation option from the left navigation, click on the + Create dropdown, and select the Automation rule option.
azure playbook

2. On the Create new automation rule window, Provide the below details

  • Automation rule name: Provide a unique name for the automation rule.
  • Trigger: Select the trigger option based on your requirements.
  • Conditions: select the conditions, and you can also click on the + Add condition button to add more conditions.
  • Actions: Select the Run Playbook option.
  • Then, choose the Playbook name we created above on the next dropdown.
playbooks sentinel

But for me, I am not able to select the Playbook. The playbook option is grayed out in the dropdown list, and the error it is showing is “No Microsoft sentinel Permissions,” and it is disabled for me. This issue is because we need to give Permission to the Resource Group for the playbook so we can select the playbook here.

  • To configure the permission, click on the Settings option on the Microsoft Sentinel page under the Configurations section from the left navigation.
sentinel playbooks
  • Now, click on the Settings tab from the top –> Expand the Playbook permissions option –> click on the Configure permissions button.
sentinel automation playbooks
  • On the Manage permissions window, select the Resource Group your playbook belongs to, then click the Apply button.
sentinel playbook permissions

Note: Better first, you give permision to the Resource Group that your playbook belongs to and then perform step-1 and step-2.

Now again, follow step-1 and step-2 to create the new automation rule. You can see below that I can select the playbook, and it’s enabled for me that we have created above. –> Click on the Apply button, and you are done.

how to create playbook in azure sentinel

Wrapping Up

In this article, we discussed Azure Sentinel Playbooks and how to create a playbook in Azure Sentinel, and along with that, we discussed how to create an automation rule in Microsoft Sentinel. Thanks for reading this article !!!