Update now: Stop Running Playbooks Directly from Analytics Rules
Knowing is only half the battle
Since its inception, Microsoft Sentinel has always allowed the ability to assign a specific Playbook (or multiple Playbooks if required) to the Automation section of an Analytics Rules (as shown in the next image).
Many Microsoft Sentinel customers have taken advantage of this, so understanding that this capability is being deprecated this month may come as a surprise and cause some to frantically wonder what to do next.
The official announcement: Classic alert automation due for deprecation
Since this capability was introduced, the thoughts around how to provide better efficiency and management of automation has changed for Microsoft Sentinel, with Automation Rules being a better, more effective method. Here’s some reasons why this makes sense.
With Automation Rules, you can:
Manage all your automations from a single display, regardless of type
(“single pane of glass”).Define a single automation rule that can trigger playbooks for multiple analytics rules, instead of configuring each analytics rule independently.
Define the order in which alert playbooks will be executed.
Support scenarios that set an expiration date for running a playbook.
So, as you can see this new way of thinking makes a lot of sense.
So, what’s next? Check out the following link to start converting any existing Analytics Rules with Playbooks assigned directly to the new method.
Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]