The Playbook

This tutorial shows you how to use playbooks together with automation rules to automate your incident response and remediate security threats detected by Microsoft Sentinel. When you complete this tutorial you will be able to:

The Playbook

This tutorial provides basic guidance for a top customer task: creating automation to triage incidents. For more information, see our How-to section, such as Automate threat response with playbooks in Microsoft Sentinel and Use triggers and actions in Microsoft Sentinel playbooks.

Automation rules help you triage incidents in Microsoft Sentinel. You can use them to automatically assign incidents to the right personnel, close noisy incidents or known false positives, change their severity, and add tags. They are also the mechanism by which you can run playbooks in response to incidents.

Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. A playbook can help automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being attached to an analytics rule or an automation rule, respectively. It can also be run manually on-demand.

Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription to which it belongs, but the Playbooks display shows you all the playbooks available across any selected subscriptions.

For example, if you want to stop potentially compromised users from moving around your network and stealing information, you can create an automated, multifaceted response to incidents generated by rules that detect compromised users. You start by creating a playbook that takes the following actions:

Playbooks can be run automatically in response to incidents, by creating automation rules that call the playbooks as actions, as in the example above. They can also be run automatically in response to alerts, by telling the analytics rule to automatically run one or more playbooks when the alert is generated.

If you're creating a Standard playbook (the new kind - see Logic app types), select Blank playbook and then follow the steps in the Logic Apps Standard tab below.

If you're creating a Consumption playbook (the original, classic kind), then, depending on which trigger you want to use, select either Playbook with incident trigger, Playbook with alert trigger, or Playbook with entity trigger. Then, continue following the steps in the Logic Apps Consumption tab below.

If you want to monitor this playbook's activity for diagnostic purposes, mark the Enable diagnostics logs in Log Analytics check box, and choose your Log Analytics workspace from the drop-down list.

If your playbooks need access to protected resources that are inside or connected to an Azure virtual network, you may need to use an integration service environment (ISE). If so, mark the Associate with integration service environment check box, and select the desired ISE from the drop-down list.

Your playbook will take a few minutes to be created and deployed, after which you will see the message "Your deployment is complete" and you will be taken to your new playbook's Logic App Designer. The trigger you chose at the beginning will have automatically been added as the first step, and you can continue designing the workflow from there.

Your playbook will take a few minutes to be created and deployed, during which you will see some deployment messages. At the end of the process you will be taken to the final deployment screen where you'll see the message "Your deployment is complete".

When you choose a trigger, or any subsequent action, you will be asked to authenticate to whichever resource provider you are interacting with. In this case, the provider is Microsoft Sentinel. There are a few different approaches you can take to authentication. For details and instructions, see Authenticate playbooks to Microsoft Sentinel.

Now you can define what happens when you call the playbook. You can add actions, logical conditions, loops, or switch case conditions, all by selecting New step. This selection opens a new frame in the designer, where you can choose a system or an application to interact with or a condition to set. Enter the name of the system or application in the search bar at the top of the frame, and then choose from the available results.

In every one of these steps, clicking on any field displays a panel with two menus: Dynamic content and Expression. From the Dynamic content menu, you can add references to the attributes of the alert or incident that was passed to the playbook, including the values and attributes of all the mapped entities and custom details contained in the alert or incident. From the Expression menu, you can choose from a large library of functions to add additional logic to your steps.

You've created your playbook and defined the trigger, set the conditions, and prescribed the actions that it will take and the outputs it will produce. Now you need to determine the criteria under which it will run and set up the automation mechanism that will run it when those criteria are met.

Choose the actions you want this automation rule to take. Available actions include Assign owner, Change status, Change severity, Add tags, and Run playbook. You can add as many actions as you like.

If you add a Run playbook action, you will be prompted to choose from the drop-down list of available playbooks. Only playbooks that start with the incident trigger can be run from automation rules, so only they will appear in the list.

Microsoft Sentinel must be granted explicit permissions in order to run playbooks based on the incident trigger, whether manually or from automation rules. If a playbook appears "grayed out" in the drop-down list, it means Sentinel does not have permission to that playbook's resource group. Click the Manage playbook permissions link to assign permissions.

You yourself must have owner permissions on any resource group to which you want to grant Microsoft Sentinel permissions, and you must have the Logic App Contributor role on any resource group containing playbooks you want to run.

If, in an MSSP scenario, you want to run a playbook in a customer tenant from an automation rule created while signed into the service provider tenant, you must grant Microsoft Sentinel permission to run the playbook in both tenants. In the customer tenant, follow the instructions for the multi-tenant deployment in the preceding bullet point. In the service provider tenant, you must add the Azure Security Insights app in your Azure Lighthouse onboarding template:

You use a playbook to respond to an alert by creating an analytics rule, or editing an existing one, that runs when the alert is generated, and selecting your playbook as an automated response in the analytics rule wizard.

You can also manually run a playbook on demand, on both incidents (in Preview) and alerts. This can be useful in situations where you want more human input into and control over orchestration and response processes.

In the incident details page, in the Incident timeline widget, choose the alert you want to run the playbook on. Select the three dots at the end of the alert's line and choose Run playbook from the pop-up menu.

In the incident details page, select the Alerts tab, choose the alert you want to run the playbook on, and select the View playbooks link at the end of the line of that alert.

You can see the run history for playbooks on an alert by selecting the Runs tab on the Alert playbooks pane. It might take a few seconds for any just-completed run to appear in the list. Selecting a specific run will open the full run log in Logic Apps.

From the incident details pane that appears on the right, select Actions > Run playbook (Preview).(Selecting the three dots at the end of the incident's line on the grid or right-clicking the incident will display the same list as the Action button.)

The Run playbook on incident panel opens on the right. You'll see a list of all playbooks configured with the Microsoft Sentinel Incident Logic Apps trigger that you have access to.

If you don't see the playbook you want to run in the list, it means Microsoft Sentinel doesn't have permissions to run playbooks in that resource group (see the note above). To grant those permissions, select Settings from the main menu, choose the Settings tab, expand the Playbook permissions expander, and select Configure permissions. In the Manage permissions panel that opens up, mark the check boxes of the resource groups containing the playbooks you want to run, and select Apply.

You can see the run history for playbooks on an incident by selecting the Runs tab on the Run playbook on incident panel. It might take a few seconds for any just-completed run to appear in the list. Selecting a specific run will open the full run log in Logic Apps.

Regardless of the context you came from, the instructions above will all open the Run playbook on panel. You'll see a list of all playbooks that you have access to that were configured with the Microsoft Sentinel Entity Logic Apps trigger for the selected entity type. 041b061a72