Azure Sentinel – Multiple playbooks to one analytic rule
Azure Sentinel playbooks help to automate tasks, improve investigations, and allow quick responses to threats.
This new feature enables selection of up to 10 playbooks to run when a new alert is created.
For example, an analytics rule that indicates high-risk users assigned to suspicious IPs might trigger:
- An Enrichment playbook will query Virus Total about the IP entities, and add the information as a comment on the incident.
- A Response playbook will consult Azure AD Identity Protection and confirm the risky users (received as Account entities) as compromised.
- An Orchestration playbook will send an email to the SOC to inform that a new alert was generated together with its details.
- A Sync playbook will create a new ticket in Jira for the new incident created.
- Navigate to Azure Sentinel -> Analytics
- Create or Edit an existing schedule query rule
- Go to Automated response tab
- Select the multiple playbooks you would like to trigger.
Note : At this point, the selected rules will run in no particular order.