Sentinel & Log Analytics – How to Create Incidents to Test with – Part 2 – The Automation Rule
Today, I’d like to talk about using Microsoft Sentinel and address a common question that many teams have when they are starting to work with the Sentinel SIEM/SOAR solution….Part 2 of How do I create incidents to test with? Today we look at the automation rule and how we can use it trigger our Playbook or other automation that needs to be tested.
Our challenge is that teams new to Sentinel often face a little mystery when trying to run tests against alerting rules, email notifications, automation rules, and playbooks or logic apps. In the previous article (HERE) you can learn how to create incidents from a custom Analytics Rule in Microsoft Sentinel.
To test a logic app or other automation from test incidents in Microsoft Sentinel, let’s create an Automation Rule to fire when our previously created Test Incidents get created.
In Microsoft Sentinel, select Automation.
Then choose +CREATE and select AUTOMATION RULE.
A wonderful new blade opens where we can make some configuration changes for the rule we want to create.
1 – Enter a descriptive and verbose name for your rule. This is important so that others know what this rule is all about another day.
2 – Set our trigger for this rule to When an Incident is Created
3 – Choose a Condition that CONTAINS a RULE NAME.
4 – Use the search field to look for TEST from our Analytics rule name.
5 – Select our previously created Analytics rule TEST INCIDENTS FOR AUTOMATION TESTING.
Next, set the ACTIONS to RUN PLAYBOOK.
You can also add additional ACTIONS here to force the status of the incident and the severity. You can also set the ASSIGN OWNER of the incident to yourself since this is strictly for testing in our example here today. This will help prevent an incident we create from getting lost in the queue.
Lastly, consider setting an expiration date in case we forget to come back and get rid of our testing setup later-on. This is a great setting to help us limit the ‘blast radius’. We can set this to run just overnight as an example by setting date and time to expire our Automation Rule.
Click on APPLY when ready.
Now when the AUTOMATION RULE fires against the Analytics Rule we previously created, it will trigger the PLAYBOOK with our automation that we need to test.
Remember to disable or remove your Automation rule and Analytics Rule when you are done with your testing!