Deploy Your First Sentinel Automation

60-90 minutes Modules: Module 10

Objective

Deploy the SOC Channel Notification playbook (Template 2 from Module 10, subsection 10.8). When a High or Critical incident is created in Sentinel, a formatted notification card is automatically posted to your SOC Teams channel.

Required: Microsoft Sentinel, Azure Logic Apps access (Contributor role), Microsoft Teams with a designated SOC channel.

Step 1: Create the Logic App

Navigate to: Azure Portal → Logic Apps → Add

Field	Value
Name	SOC-Notify-Teams-Channel
Region	Same as your Sentinel workspace
Plan type	Consumption

Step 2: Configure the Logic App trigger

Open the Logic App designer. Search for “Microsoft Sentinel” and select the trigger: When Azure Sentinel incident creation rule was triggered.

Connect to your Sentinel workspace. This trigger fires every time a new incident is created.

Step 3: Add the incident detail extraction

Add a Compose action to format the notification message:

1
2
3
4
5
6
7
{
  "title": "@{triggerBody()?['object']?['properties']?['title']}",
  "severity": "@{triggerBody()?['object']?['properties']?['severity']}",
  "status": "@{triggerBody()?['object']?['properties']?['status']}",
  "incidentUrl": "@{triggerBody()?['object']?['properties']?['incidentUrl']}",
  "description": "@{substring(triggerBody()?['object']?['properties']?['description'], 0, min(length(triggerBody()?['object']?['properties']?['description']), 200))}"
}

Step 4: Post to Teams

Add a Microsoft Teams → Post a message (V3) action.

Field	Value
Team	[Your SOC team]
Channel	[Your SOC alerts channel]
Message	See formatted template below

Message template:

🔴 Sentinel Incident: {title}
Severity: {severity}
{description}

🔗 Open in Sentinel: {incidentUrl}

Replace {title}, {severity}, {description}, and {incidentUrl} with the dynamic content from the Compose action.

Step 5: Create the Sentinel automation rule

Navigate to: Sentinel → Automation → Create → Automation rule

Field	Value
Name	Notify SOC channel on High/Critical incidents
Trigger	When incident is created
Condition	Severity equals High OR Critical
Action	Run playbook → SOC-Notify-Teams-Channel
Order	10 (runs after enrichment rules if you add those later)

Step 6: Test the automation

Create a test incident in Sentinel:

Navigate to: Sentinel → Incidents → Create incident (manual)

Field	Value
Title	TEST: Automation validation — delete after testing
Severity	High
Status	New

Wait 1-2 minutes. Check your SOC Teams channel. The notification should appear with the incident title, severity, and Sentinel link.

After verification, close and delete the test incident.

Step 7: Monitor Logic App health

Check the Logic App run history:

Navigate to: Logic App → Overview → Runs history

Confirm the test run shows “Succeeded.” If it shows “Failed,” open the run details to identify which action failed and why (common issues: Teams connector permissions, Sentinel workspace authentication expired).

Verification checklist

Logic App created and configured
Sentinel trigger connected to workspace
Teams notification action configured with SOC channel
Automation rule created for High/Critical incidents
Test incident generated a Teams notification
Logic App run history shows successful execution
Test incident deleted after verification

← All Labs