How to Convert Your Existing Azure Sentinel Playbooks into Automation Rule-Compliant Ones

Did you know that the ‘incident creation rule‘ trigger is required to enable a Playbook to be available in the list of Playbooks in an Automation Rule?

Trigger required
In the list

Those that are new to Automation Rules regularly ask, “Why aren’t any of my Playbooks – which I’ve worked hard to create and deploy – available in the list of my Automation Rule?

The simple answer is that the trigger is wrong.

It’s easy to flip the trigger in the Playbook itself, but let me supply a recommendation. Instead of just adjusting the original Playbook, you should consider cloning the original and keeping two copies: one that is a standard Playbook that can still be run against Incidents and alerts, and one that is a super-enhanced Automation Rule capable copy.

Here’s how to do that…

On the original Playbook page, select the “Clone” option.

Cloning a Playbook

Give the new Automation Rule-capable Playbook a similar name but with something to identify its new capability. As you can see in the next image, I’m not very creative with my renaming, but it works. I just keep the original name and add AutomationRule to the end.

My new Automation Rule capable Playbook

Now when I want to add a Playbook as part of my Automation Rule, this new one will show up in the list.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]