Using a mixture of Automation Rules and Playbooks, you can develop some effective automation around common responses to Incidents in Azure Sentinel. The Automation Rules feature is new and compliments the original Playbooks feature extremely well. In some cases, an Automation Rule is all that’s needed.
But, it’s important to understand a slight nuance in how the Automation Rules run. This will affect how you develop them.
When you have Automation Rules strung together with Playbooks, the first Automation Rule runs immediately, but when a Playbook is enacted, there’s a 2-minute delay. This delay is to ensure that the Playbook has time to complete.
As you can imagine – based on the calculation of 2-minutes per Playbook – if you have multiple Playbooks assigned in the automation string, the entire chain could take a while to complete.
Just be mindful of this.
A slight workaround would be to develop a Playbook that’s a bit larger with more steps instead of calling multiple Playbooks that do different things.
This should change in the future so that there’s some intelligence built in to detect when the logic steps of a Playbook has completed.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]