![]() Playbook is triggered by Microsoft Sentinel Entity Playbook is triggered by Microsoft Sentinel alertīasic playbook to send incident details over mail: Playbook is triggered by Microsoft Sentinel incident Use the Alert - Get Incident action beforehand to get the Incident ARM ID. The actions Update Incident and Add a Comment to Incident require the Incident ARM ID. In playbooks that work on a specific entity type ( IP, Account, Host, URL or FileHash) which is known at playbook creation time, and you need to be able to parse it and work on its unique fields. To enrich the incident with information collected from external sources to audit the actions taken by the playbook on the entities to supply additional information valuable for incident investigation. To change an incident's Status (for example, when closing the incident), assign an Owner, add or remove a tag, or to change its Severity, Title, or Description. ![]() Retrieves the incident properties and comments. When triggering a playbook from an external source or with a non-Sentinel trigger. Useful for getting the incident properties, or retrieving the Incident ARM ID to use with the Update incident or Add comment to incident actions. In playbooks that start with Alert trigger. Microsoft Sentinel actions summary Component Workspace info fields (applies to the Sentinel workspace where the incident was created) When selecting an alert property such as Alert:, a for each loop is automatically generated, since an incident can include multiple alerts.Įntities (array of all an alert's entities) Incident properties (Shown as "Incident: field name")Īlert properties (Shown as "Alert: field name") The Incident object received from Microsoft Sentinel incident includes the following dynamic fields: The recommended practice is to use the Microsoft Sentinel incident trigger flow, which is applicable to most scenarios. The schemas used by these flows are not identical. To be used for playbooks that need to be run manually on specific entities from an investigation or threat hunting context. Playbooks using this trigger cannot be called by automation rules. This trigger cannot be used to automate responses for alerts generated by Microsoft security analytics rules. UPDATE: As of February 2023, alert grouping is supported for this trigger.Īdvisable for playbooks that need to be run on alerts manually from the Microsoft Sentinel portal, or for scheduled analytics rules that don't generate incidents for their alerts. Playbooks with this trigger do not support alert grouping, meaning they will receive only the first alert sent with each incident. ![]() Using this trigger allows the playbook to be attached to an Automation rule, so it can be triggered when an incident is created (and now, updated as well) in Microsoft Sentinel, and all the benefits of automation rules can be applied to the incident. The playbook receives incident objects, including entities and alerts. Recommended for most incident automation scenarios. Though the Microsoft Sentinel connector can be used in a variety of ways, the connector's components can be divided into three flows, each triggered by a different Microsoft Sentinel occurrence: Trigger (full name in Logic Apps Designer) Learn more about permissions in Microsoft Sentinel. Microsoft Sentinel Responder/ Contributor ![]() Permissions required Roles \ Connector components These three documents will refer to each other back and forth.įor an introduction to playbooks, see Automate threat response with playbooks in Microsoft Sentinel.įor the complete specification of the Microsoft Sentinel connector, see the Logic Apps connector documentation. This document, along with our guide to Authenticating playbooks to Microsoft Sentinel, is a companion to our other playbook documentation - Tutorial: Use playbooks with automation rules in Microsoft Sentinel. It further shows you how to get to specific types of Microsoft Sentinel information that you are likely to need. This document explains the types of triggers and actions in the Logic Apps Microsoft Sentinel connector, that playbooks can use to interact with Microsoft Sentinel and the information in your workspace's tables. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |