Azure Sentinel Documentation

Getting Started with Automation

Learn how to automate threat detection, investigation, and response in Azure Sentinel using built‑in playbooks, custom scripts, and integration with third‑party services.

Prerequisites

Step‑by‑Step Guide

1. Create a Playbook+

Navigate to Configuration ▶ Automation and click + Create Playbook. Choose a Logic Apps template or start from scratch.

{
  "definition": {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
      // Insert your Logic App workflow here
    ]
  }
}
2. Add Trigger & Actions+

Select the When a response to an Azure Sentinel alert is triggered trigger and add actions such as sending email, isolating a VM, or posting to Teams.

trigger():
    type: "Microsoft.Security/alerts"
    condition: "Severity eq 'High'"

action_send_email():
    type: "SendEmail"
    parameters:
        to: "security@example.com"
        subject: "High severity alert"
3. Test & Deploy+

Use the Run Trigger button to simulate an alert, verify the workflow, and then save the playbook. Finally, associate it with an analytics rule.

Playbook test screenshot

Sample Playbook: Auto‑Remediate Suspicious Login

{
  "definition": {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
      {
        "type": "Microsoft.Logic/workflows",
        "apiVersion": "2019-05-01",
        "name": "AutoRemediateLogin",
        "location": "[resourceGroup().location]",
        "properties": {
          "definition": {
            "$connections": {
              "defaultValue": {}
            },
            "triggers": {
              "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
                "type": "Request",
                "kind": "Http",
                "inputs": {
                  "schema": {}
                }
              }
            },
            "actions": {
              "Send_an_email": {
                "type": "ApiConnection",
                "inputs": {
                  "host": {
                    "api": {
                      "runtimeUrl": "https://logic-apis-westeurope.azure-apim.net"
                    }
                  },
                  "method": "post",
                  "path": "/v2/MicrosoftGraph/sendMail",
                  "authentication": {
                    "type": "Raw",
                    "scheme": "Bearer",
                    "parameter": "@{triggerBody()['Authorization']}"
                  },
                  "body": {
                    "message": {
                      "subject": "Suspicious login detected",
                      "body": {
                        "contentType": "Text",
                        "content": "A suspicious login was detected for user @{triggerBody()['UserName']}."
                      },
                      "toRecipients": [
                        {
                          "emailAddress": {
                            "address": "security@example.com"
                          }
                        }
                      ]
                    }
                  }
                }
              }
            }
          }
        }
      }
    ]
  }
}