question

ScottMark-6468 avatar image
0 Votes"
ScottMark-6468 asked vipulsparsh-MSFT edited

Fire LogicApp when log appears in Sentinel?

I have a number of logic apps which run on a schedule to send an email relating to AD actions that are triggered, for example account lock / unlock, account disable / re-enable and password change. These are set to run on a schedule using a recurrance pane, which links into the query and then onto a send email pane.

Is there any way I can trigger the app if this event goes into Sentinel, so in effect an "immediate" trigger? If not via logicapp, is there a way to do this in Sentinel?

azure-logic-appsmicrosoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@ScottMark-6468 Thanks for reaching out. Have you already seen the Automation Rules under Automation option for sentinel where you can trigger a playbook.

119059-image.png


Automation rules are triggered by the creation of incidents. You can set conditions to govern when actions will run, based on the incident and entity details and on analytics rules. You can also set the order of actions and the rule’s expiration time.

Read how they work : https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
Here is a nice tutorial about it : https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook


Let us know if this helps.



Please "Accept the answer" if the information helped you. This will help us and others in the community as well.




image.png (124.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ScottMark-6468 avatar image
0 Votes"
ScottMark-6468 answered

Thanks for your response, apologies I have only recently started with Azure Sentinel. I will have a look around your links. interrestingly, in my environment I can see the LogicApps appearing under playbooks:

119133-image.png


image.png (20.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.