question

BramvdKlinkenberg-1881 avatar image
0 Votes"
BramvdKlinkenberg-1881 asked BramvdKlinkenberg-1881 answered

Sentinel Incident does not trigger Playbook

I have enabled continuous export in Azure Security Center to export the Container Vulnerability Recommendations to a Log Analytics workspace that is connected to Sentinel. That works, I can query the SecurityNestedRecommendation table.

I then created an analytics rule which has an automated response (incident automation), which is a playbook and is connected to an automation rule.

The logic app (playbook) is a simple flow that uses the "When Azure Sentinel incident creation rule was triggered" trigger and a teams "Post message in chat or channel" action.

When I build an push a new image to my ACR I see the adjustment of the recommendation (new image is added) and a bit later on in Sentinel an incident has been created, but my automated incident response playbook is not triggered and I have no clue why :-).

azure-logic-appsazure-sentinel
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Running the logic app manually (Run Trigger) succeeds.

0 Votes 0 ·

1 Answer

BramvdKlinkenberg-1881 avatar image
0 Votes"
BramvdKlinkenberg-1881 answered

I had to create a playbook that uses the flow " When a response to an Azure Sentinel Alert is triggered" and in the analytics rule I then used the playbook in Alert automation.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.