Sign In

SA0.7 Sentinel Automation Architecture

5 hours · Module 0 · Free
SENTINEL AUTOMATION — THREE MECHANISMSAUTOMATION RULESLightweight · No code• Change severity• Assign owner• Add tags• Run playbook• Close incidentRuns FIRST (order matters)PLAYBOOKS (Logic Apps)Powerful · Multi-step workflows• API calls (Graph, MDE, TI)• Conditional logic• Loops and parallel branches• External integrations• Human approval gatesTriggered BY automation rulesANALYTIC RULE ACTIONSAlert-level · Immediate• Run playbook on alert creation• Before incident grouping• Fastest trigger (seconds)• Limited to one playbook• No incident context yetUse for time-critical enrichmentEXECUTION ORDER — WHEN AN ALERT FIRES① ALERTKQL query matches② RULE ACTIONPlaybook runs on alert③ INCIDENTAlert grouped into incident④ AUTO RULESeverity, assign, playbookThe execution order determines WHEN your automation fires and WHAT data is available.Rule actions (②) fire on individual ALERTS — fastest, but no incident context (no entity grouping).Automation rules (④) fire on INCIDENTS — slower (seconds to minutes), but full entity mapping available.Most playbooks should trigger on incidents (④), not alerts (②), because incident entity mapping is requiredfor enrichment and containment actions that target specific users, IPs, or devices.

Figure SA0.7 — Sentinel's three automation mechanisms and their execution order. Automation rules fire after incident creation and can trigger playbooks. Analytic rule actions fire earlier, on individual alerts.

Operational Objective
Sentinel provides three distinct automation mechanisms — automation rules, playbooks (Logic Apps), and analytic rule actions. Each has different capabilities, different trigger timing, and different use cases. Choosing the wrong mechanism wastes effort (building a Logic App when an automation rule would suffice) or misses the opportunity (using an automation rule when a Logic App's conditional logic is required). This sub maps the three mechanisms, explains when to use each, and establishes the architecture that the rest of the course builds on.
Deliverable: A clear understanding of Sentinel's automation architecture — what each mechanism does, when it fires, and how to choose between them for any automation requirement.
⏱ Estimated completion: 25 minutes

Automation rules — the lightweight layer

Automation rules are Sentinel’s simplest automation mechanism. They require no code, no Logic Apps, and no Azure resource deployment. You configure them in the Sentinel portal under Automation → Automation rules.

An automation rule triggers when an incident is created or updated. It evaluates conditions (incident severity, analytics rule name, entity type, tags) and executes actions (change severity, change status, assign owner, add tags, run a playbook, close the incident).

When to use automation rules:

Triage acceleration — change severity on specific alert types. The “AiTM credential phishing” detection fires at Medium severity by default. An automation rule changes it to High because you have determined that AiTM is always High in your environment. This takes 2 minutes to configure and improves triage prioritisation permanently.

Assignment routing — assign incidents to the correct analyst or queue based on the analytics rule or severity. All identity-related incidents go to the identity specialist. All endpoint incidents go to the endpoint team. All Critical severity incidents go to the IR lead.

False positive auto-close — close incidents that match known false positive patterns. The impossible travel alert for the CEO who flies London-to-New-York weekly fires every Monday. An automation rule with conditions (analytics rule = “Impossible Travel” AND entity contains “ceo@northgateeng.com”) auto-closes the incident and adds a tag “auto-closed-known-travel.”

Playbook trigger — the most important use. Automation rules are the mechanism that triggers playbooks. You do not trigger a Logic App directly from an analytics rule (that is the less-common analytic rule action). Instead: the analytics rule creates an alert → the alert becomes an incident → the automation rule fires on incident creation → the automation rule triggers the playbook. This indirect path gives you incident-level context (grouped alerts, mapped entities) in the playbook.

Execution order matters. Automation rules execute in the order you define. If Rule 1 changes severity to High and Rule 2 triggers a playbook only on High severity incidents, Rule 1 must execute before Rule 2. Sentinel processes rules sequentially by their configured order number.

Playbooks — the power layer

Playbooks are Logic Apps — Azure’s serverless workflow automation service. They provide the multi-step, conditional, integration-capable automation that automation rules cannot.

A playbook can: call any REST API (Microsoft Graph, Defender API, VirusTotal, AbuseIPDB, ServiceNow, Slack, PagerDuty), execute conditional logic (if user is VIP then route to approval, else auto-contain), loop over entities (for each IP in the incident, query TI feeds), run parallel branches (query 3 TI feeds simultaneously), wait for human input (Teams adaptive card with Approve/Reject), and process complex data transformations.

Authentication. Playbooks authenticate to APIs using managed identities (recommended for Microsoft APIs), service principals (for third-party APIs that support OAuth), or API keys stored in Azure Key Vault. SA1 covers authentication in detail. The key principle: never store credentials in the playbook definition. Always use managed identity or Key Vault references.

The Sentinel connector. Every Sentinel playbook uses the “Microsoft Sentinel” connector as its trigger. The trigger type determines when the playbook fires: “When a Microsoft Sentinel incident is created” (most common) or “When a Microsoft Sentinel incident is updated.” The trigger provides the incident object with all its properties: severity, title, description, entities (accounts, IPs, hosts, URLs, files), alerts, and custom properties.

Entity extraction. The incident trigger provides entities — but extracting them reliably is the first challenge every playbook builder encounters. The entities are in a JSON array, and the array structure varies by alert type. Some alerts map a single Account entity. Some map an Account and an IP. Some map nothing (poorly configured analytics rules). Your playbook must handle all cases: extract the entity if it exists, skip gracefully if it does not. SA1 covers entity extraction patterns in detail.

Cost. Logic Apps charge per action execution. A playbook with 10 actions that fires 500 times per day executes 5,000 actions per day = 150,000 per month. At the Consumption plan rate of approximately £0.000025 per action, that is £3.75/month. Playbook costs are negligible for most SOCs. The exception is playbooks that query expensive external APIs (VirusTotal Premium, Shodan) — those APIs have their own pricing independent of Logic Apps.

Analytic rule actions — the fast path

The third mechanism is the least used but has a specific, important use case. An analytics rule can trigger a playbook directly when an alert is created — before the alert is grouped into an incident.

The advantage is speed. An automation rule fires after the incident is created, which can be seconds to minutes after the alert. An analytic rule action fires on the alert itself — as fast as the analytics rule schedule allows (minimum 5 minutes for scheduled rules, near-real-time for NRT rules).

The disadvantage is context. The alert-triggered playbook receives a single alert, not a grouped incident. It does not have the entity mapping that incident grouping provides. It cannot access other alerts in the same incident because the incident does not exist yet.

When to use analytic rule actions: Time-critical enrichment where you want data before the incident is created. For example: a near-real-time rule detects a potential AiTM. The analytic rule action fires a lightweight playbook that immediately queries the user’s current session status (are they actively signed in from the suspicious IP right now?). By the time the incident is created and an analyst opens it, the session status — which changes every minute — has already been captured.

When NOT to use analytic rule actions: For anything that requires incident-level context. Enrichment that needs to iterate over multiple entities (IPs, users, devices) requires the incident entity mapping. Containment actions that need to correlate alerts require the incident grouping. Notification playbooks that need severity-based routing require the incident severity, which may have been changed by an automation rule.

Choosing the right mechanism

Use this decision tree for every automation requirement:

Does the automation need conditional logic, API calls, or multi-step workflows? If yes → Playbook (Logic App), triggered by an automation rule on incident creation.

Is it a simple action (change severity, assign owner, add tag, close incident) with no external integration? If yes → Automation rule alone. No playbook needed.

Does it need to fire immediately on alert creation, before incident grouping, for time-critical evidence capture? If yes → Analytic rule action triggering a lightweight playbook.

In practice, 80% of your automation will be playbooks triggered by automation rules. 15% will be automation rules alone (severity changes, assignment routing, FP auto-close). 5% will be analytic rule actions for time-critical scenarios.

⚠ Compliance Myth: "We need a dedicated Azure subscription for security automation to maintain separation of duties"

The myth: Security automation (Logic Apps, playbooks) should run in a separate Azure subscription from the production environment to ensure separation of duties and prevent security tools from accessing production resources.

The reality: Sentinel playbooks must run in the same subscription (or a connected subscription) as the Sentinel workspace to use the Sentinel connector trigger. Separation of duties is maintained through RBAC, not subscription boundaries. The playbook’s managed identity has only the permissions it needs (e.g., User.Read.All for enrichment, User.RevokeSessions for containment). It cannot access production resources that its permissions do not include. Putting playbooks in a separate subscription adds complexity (cross-subscription connector authentication) without improving security. Use resource groups for organisational separation and RBAC for access control.

Decision point: You need to build automation that changes AiTM incident severity to High and then triggers an enrichment playbook. Should this be two automation rules (Rule 1: change severity, Rule 2: run playbook) or one automation rule that does both? Sentinel automation rules support multiple actions in a single rule. Using one rule with two actions (change severity + run playbook) is simpler and avoids ordering issues. The rule changes severity AND triggers the playbook in one execution. Use multiple rules only when the conditions differ — for example, one rule applies to all AiTM incidents (change severity) while a different rule applies only to High severity AiTM incidents from external IPs (run the containment playbook).

Try it: Inventory Sentinel's automation capabilities

In your Sentinel workspace:

  1. Navigate to Automation → Automation rules. How many rules exist? What actions do they take?
  2. Navigate to Automation → Active playbooks. How many playbooks are connected? Check each: when did it last run? Did it succeed or fail?
  3. Open any analytics rule → Automated response tab. Are any playbooks configured as analytic rule actions?
  4. Check playbook permissions: navigate to each playbook in the Azure portal → Identity blade. What managed identity permissions does it have?

If you find playbooks with excessive permissions (e.g., Directory.ReadWrite.All when only User.Read.All is needed), that is a security risk to remediate.

You want to build automation that auto-closes "impossible travel" alerts when the source IP matches a known VPN exit node on your watchlist. The automation needs to: (1) check the incident's source IP against a Sentinel watchlist, (2) if it matches, close the incident with classification "BenignPositive." Which mechanism is correct?
Automation rule only — with a condition matching the VPN IPs. Automation rules cannot query watchlists. Their conditions are limited to incident properties (severity, title, tags, analytics rule name, entity type). Checking an IP against a watchlist requires KQL or a Logic App action.
Playbook triggered by an automation rule. The automation rule fires on incident creation for "impossible travel" alerts. The playbook extracts the IP entity, queries the VPN exit node watchlist using a KQL query action, and if the IP matches, uses the Sentinel connector to close the incident with classification "BenignPositive." This requires Logic App capability because the watchlist lookup is a data query, not a simple condition.
Analytic rule action. This fires before the incident is created, so it cannot close the incident (which does not exist yet). It also lacks access to entity mapping needed for reliable IP extraction.
Modify the KQL in the analytics rule to exclude VPN IPs. This is a valid alternative — adding a join against the watchlist in the KQL itself prevents the alert from firing at all. But the question asks which automation mechanism to use, not whether to modify the detection rule. Both approaches work; the playbook approach is better when you want the alert to fire (for logging and metrics) but be auto-resolved.

Where this goes deeper. SA1 builds your first automation rule and your first playbook step by step, including managed identity configuration, entity extraction, error handling, and testing. SA2-SA7 build production playbooks for enrichment, collection, notification, and containment using the architecture established here. SA9 covers the KQL-driven alternative — modifying analytics rule logic to handle automation at the detection layer rather than the response layer.

Operational Artifact — Sentinel Automation Architecture Reference
Use this decision tree when designing any automation: automation rule for simple actions, playbook for complex workflows, analytic rule action for time-critical alert-level triggers. The execution order diagram (Alert → Rule Action → Incident → Automation Rule) is the reference for understanding when your automation fires and what data is available at each stage. SA1 will implement each mechanism hands-on.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← SA0.6 NE's Automation Landscape SA0.8 Defender XDR Automation Architecture →