Supported triggers and actions in Microsoft Sentinel playbooks

This article describes the triggers and actions supported by the Logic Apps Microsoft Sentinel connector. Use the listed triggers and actions in Microsoft Sentinel playbooks to interact with your Microsoft Sentinel data.

Important

Noted functionality is currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

Before you start, make sure that you have the following Azure permissions required to use Microsoft Sentinel connector components:

Role Use triggers Get available actions Update incident,
add a comment
Microsoft Sentinel Reader -
Microsoft Sentinel Responder/Contributor

For more information, see Roles and permissions in Microsoft Sentinel and prerequisites for working with Microsoft Sentinel playbooks.

Supported Microsoft Sentinel triggers

The Microsoft Sentinel connector, and therefore Microsoft Sentinel playbooks, support the following triggers:

  • Microsoft Sentinel incident. Recommended for most incident automation scenarios.

    The playbook receives incident objects, including both entities and alerts. This trigger allows you to attach a playbook to an automation rule that can be triggered whenever an incident is created or updated in Microsoft Sentinel, applying all the benefits of automation rules to the incident.

  • Microsoft Sentinel alert (Preview). Recommended for playbooks that must be run manually on alerts, or for scheduled analytics rules that don't generate incidents for their alerts.

    • This trigger can't be used to automate responses for alerts generated by Microsoft security analytics rules.
    • Playbooks using this trigger can't be called by automation rules.
  • Microsoft Sentinel entity. Recommended for playbooks that must be run manually on specific entities from an investigation or threat hunting context. Playbooks using this trigger can't be called by automation rules.

The schemas used by these flows aren't identical. We recommend using the Microsoft Sentinel incident trigger flow for most scenarios.

Incident dynamic fields

The Incident object received from Microsoft Sentinel incident includes the following dynamic fields:

Field name Description
Incident properties Shown as Incident: <field name>
Alerts An array of the following alert properties, shown as Alert: <field name>.

Since each incident can include multiple alerts, selecting an alert property automatically generates a for each loop to cover all alert in the incident.
Entities An array of all the alert's entities
Workspace info fields Details about the Microsoft Sentinel workspace where the incident was created, including:

- Subscription ID
- Workspace name
- Workspace ID
- Resource group name

Supported Microsoft Sentinel actions

The Microsoft Sentinel connector, and therefore Microsoft Sentinel playbooks, support the following actions:

Action When to use it
Alert - Get Incident In playbooks that start with Alert trigger. Useful for getting the incident properties, or retrieving the Incident ARM ID to use with the Update incident or Add comment to incident actions.
Get Incident When triggering a playbook from an external source or with a non-Sentinel trigger. Identify with an Incident ARM ID. Retrieves the incident properties and comments.
Update Incident To change an incident's Status (for example, when closing the incident), assign an Owner, add or remove a tag, or to change its Severity, Title, or Description.
Add comments to incident To enrich the incident with information collected from external sources; to audit the actions taken by the playbook on the entities; to supply additional information valuable for incident investigation.
Entities - Get <entity type> In playbooks that work on a specific entity type (IP, Account, Host, **URL, or FileHash) which is known at playbook creation time, and you need to be able to parse it and work on its unique fields.

Tip

The actions Update Incident and Add a Comment to Incident require the Incident ARM ID.

Use the Alert - Get Incident action beforehand to get the Incident ARM ID.

Supported entity types

The Entities dynamic field is an array of JSON objects, each of which represents an entity. Each entity type has its own schema, depending on its unique properties.

The "Entities - Get <entity type>" action allows you to:

  • Filter the array of entities by the requested type.
  • Parse the specific fields of this type, so they can be used as dynamic fields in further actions.

The input is the Entities dynamic field.

The response is an array of entities, where the special properties are parsed and can be directly used in a For each loop.

Currently supported entity types include:

The following image shows an example of available actions for entities:

Screenshot of an entities actions list.

For other entity types, similar functionality can be achieved using Logic Apps' built-in actions:

  • Filter the array of entities by the requested type using Filter Array.

  • Parse the specific fields of this type, so they can be used as dynamic fields in further actions using Parse JSON.

For more information, see: