Sentinel Automation – Streamlining Security Operations With Enhanced Incident Management

This repository provides automation solutions for Microsoft Sentinel. The repository is focused on Logic Apps/Playbooks. The solutions are aimed to:

Enrich Incidents
Perform Incident Response Steps
Create new detections

Presenting this material as your own is illegal and forbidden. A reference to Twitter @BertJanCyber or Github @Bert-JanP is much appreciated when sharing or using the content.

How To Use The Automation Flows?

Automation Rule

Automation rules can be used to automatically run a playbook once an incident is created or changed.

Go to Automation in Microsoft Sentinel.
Create
Automation Rule (or Playbook depending on trigger)
Select your playbook
Apply

Manual Trigger

After the first triage of an incident a security analyst may determine that more information is needed, Playbooks can be used to provide the analyst with this information.

There are different options to trigger the Playbook for execution, one is shown below.

Open a Sentinel Incident
Incident Actions
Run Playbook
Select the Playbook you want to run
Run

Azure-SecOps : Streamlining Security Operations In The Cloud

February 24, 2025

In "Cyber security"

Best 9 Incident Response Automation Tools

February 21, 2026

In "Cyber security"

Protecting Kubernetes Deployments with Azure Sentinel

January 12, 2023

In "Cyber security"

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.