Automation in Azure Sentinel

Azure Sentinel provides powerful automation capabilities to help you respond to security threats faster. Whether you use built-in Automation Rules, custom Playbooks, or the REST API, you can streamline your security operations and reduce manual effort.

Get Started

Key Concepts

What is Automation?

Automation in Sentinel includes:

Automation Rules: Simple trigger-action configurations that run automatically on alerts.
Playbooks: Azure Logic Apps that enable multi-step response workflows.
REST API: Programmatic control for custom integrations.

Quickstart Example

The following sample creates an automation rule that isolates a compromised device via an Azure Logic App.

az sentinel automation-rule create \
  --resource-group MyRG \
  --workspace-name MyWorkspace \
  --name "Isolate-Compromised-Device" \
  --trigger-logic \"alertSeverity == 'High'\" \
  --action-type "LogicApp" \
  --logic-app-id /subscriptions/xxxx/resourceGroups/MyRG/providers/Microsoft.Logic/workflows/IsolateDevice

Automation in Azure Sentinel

Key Concepts

Resources