Sign In

SA1.2 Playbooks — The Power Layer

5 hours · Module 1 · Free
SENTINEL PLAYBOOK (LOGIC APP) — ANATOMYTRIGGERIncident createdEXTRACTEntities fromincident payloadQUERYGraph API, KQL,TI feeds, MDECONDITIONIf VIP → approvalIf server → gateACTRespondLOGIC APP BUILDING BLOCKSCONNECTORSMicrosoft Sentinel (trigger)Microsoft Graph (identity)MDE (endpoints)Teams, Outlook, HTTP, SQLCONTROL FLOWCondition (if/else)Switch (multi-branch)For Each (loop over entities)Scope (error handling group)DATA OPERATIONSParse JSONCompose (build objects)Filter arraySelect (transform arrays)AUTHENTICATION METHODSManaged Identity (recommended) — system-assigned, auto-managed credentials, Graph/ARM/MDE API accessService Principal — for third-party APIs (VirusTotal, AbuseIPDB, ServiceNow). Credentials in Key Vault.API Key — simplest, for APIs that do not support OAuth. Store in Key Vault, never in playbook definition.Rule: managed identity for Microsoft APIs. Key Vault for everything else. NEVER hardcode credentials.

Figure SA1.2 — Logic App anatomy for Sentinel playbooks. Trigger → Extract entities → Query data → Condition → Act. Connectors provide API access. Control flow provides logic. Data operations handle JSON transformation.

Operational Objective
Playbooks are Logic Apps — Azure's serverless workflow engine. They are the power layer that enables everything automation rules cannot: API calls, conditional logic, loops, external integrations, and human approval workflows. But Logic Apps have a learning curve. The designer interface looks like spaghetti when the playbook grows beyond 5 steps. JSON expressions for dynamic content are unintuitive. Error handling requires deliberate architecture. This sub demystifies Logic Apps by teaching the anatomy, the building blocks, and the design patterns that produce maintainable, production-quality playbooks.
Deliverable: Understanding of Logic App anatomy sufficient to build, read, and troubleshoot Sentinel playbooks. You will build your first playbook in SA1.4.
⏱ Estimated completion: 30 minutes

Logic Apps for security — what you need to know

Logic Apps is a broad platform used for enterprise integration, workflow automation, and API orchestration across hundreds of use cases. For security automation, you need approximately 10% of the platform’s capability. This sub focuses on the 10% that matters.

A Logic App is a sequence of steps. Each step is an action from a connector. The Sentinel connector provides the trigger (“When Microsoft Sentinel incident is created”) and incident manipulation actions (add comment, change severity, change status). The Microsoft Graph connector provides identity operations (get user, revoke sessions, list group members). The MDE connector provides endpoint operations (isolate device, run live response). The Teams connector sends messages and adaptive cards. The HTTP connector calls any REST API.

Steps execute sequentially by default. You can add parallel branches (execute two API calls simultaneously), conditions (if user is VIP, do X; else do Y), loops (for each IP entity, query TI feed), and scopes (group steps for shared error handling).

Every step produces output. The output is available to subsequent steps as “dynamic content” — a picker in the designer that lets you reference values from previous steps. When the Sentinel trigger fires, its output includes the incident object: title, severity, description, entities, alerts, and custom properties. When you add a “Get user” action from the Graph connector, its output includes the user’s display name, job title, department, and risk level. You reference these outputs in subsequent steps to build the enrichment comment, the Teams notification, or the containment decision logic.

The five-step playbook pattern

Every Sentinel playbook follows the same five-step pattern. The steps vary in complexity, but the pattern is consistent:

Step 1: Trigger. The playbook fires when a Sentinel incident is created or updated. The trigger provides the incident object with all its properties and entities.

Step 2: Extract entities. The incident contains entities — accounts, IPs, hosts, URLs, files — but they are in a JSON array that requires parsing. You extract the entity you need (the Account entity for identity enrichment, the IP entity for TI lookup) and store it in a variable or pass it directly to the next action.

Step 3: Query external data. Call APIs to gather enrichment data, collect evidence, or check containment prerequisites. This is where the connector ecosystem matters: Graph API for identity data, MDE API for endpoint data, HTTP action for any REST API, and the Sentinel connector’s “Run query” action for KQL queries against the workspace.

Step 4: Apply conditional logic. Based on the query results, decide what to do. If the user’s risk level is High AND the IP is not on the known-safe watchlist AND the detection confidence is above 95%, execute containment. If the user is on the VIP watchlist, route to the approval gate instead. If any query failed (API timeout, permission error), skip to the error handling path.

Step 5: Execute and document. Take the appropriate action: add an enrichment comment to the incident, send a Teams notification, execute containment, or present an approval request. Always add the final action as an incident comment documenting what the playbook did — this creates the audit trail.

Connectors you will use in this course

Microsoft Sentinel connector. Trigger: “When Microsoft Sentinel incident is created.” Actions: Add comment to incident, Update incident (change severity, status, owner, tags), Get incident, List incidents. The Sentinel connector authenticates via managed identity — enable the system-assigned managed identity on the Logic App and grant it “Microsoft Sentinel Responder” role on the workspace.

Microsoft Graph connector (via HTTP action). The Graph API connector in Logic Apps is limited. For security automation, use the HTTP action to call Graph directly with managed identity authentication. Endpoints you will use: /users/{id} (get user profile), /users/{id}/revokeSignInSessions (revoke sessions), /users/{id}/authentication/methods (MFA methods), /identityProtection/riskyUsers/{id} (risk status). Grant the managed identity the specific Graph permissions required — User.Read.All for enrichment, User.RevokeSessions.All for containment.

Log Analytics connector. Run KQL queries against the Sentinel workspace from within the playbook. This is how you query SigninLogs, AuditLogs, ThreatIntelligenceIndicator, and _GetWatchlist() from inside a Logic App. The results are returned as a JSON table that you parse and include in the enrichment comment.

Teams connector. Post messages and adaptive cards to Teams channels. Adaptive cards support rich formatting (tables, severity badges, entity lists) and interactive elements (Approve/Reject buttons for human-in-the-loop workflows). The Teams connector authenticates via the connection creator’s account — this means someone must create the Teams connection and authorize it.

HTTP connector. Call any REST API. VirusTotal, AbuseIPDB, Shodan, ServiceNow, Jira, Palo Alto, custom internal APIs. The HTTP connector handles GET, POST, PUT, PATCH, DELETE. Authentication options: API key (in header or query), OAuth (client credentials flow), managed identity (for Azure APIs), or no auth (for public APIs).

Dynamic content and expressions

Dynamic content is the mechanism that passes data between steps. When you add a “Compose” action, you can reference values from previous steps using the dynamic content picker — click “Add dynamic content” and select from a list of available values (incident title, incident severity, user display name, etc.).

For complex data manipulation, you use expressions — Logic App’s formula language. Expressions look like: @{triggerBody()?['object']?['properties']?['severity']} — which extracts the severity value from the trigger payload. The syntax is verbose but learnable. Key expressions you will use:

triggerBody() — the complete trigger payload (the incident object). body('action_name') — the output of a specific action. items('For_each') — the current item in a For Each loop. if(condition, true_value, false_value) — inline conditional. length(collection) — count items in an array. json(string) — parse a string as JSON.

You do not need to memorise these. The designer provides autocomplete, and every sub in this course shows the exact expressions for each playbook step.

⚠ Compliance Myth: "Logic Apps are too expensive for security automation"

The myth: Logic Apps charge per action execution, and security playbooks running on every incident will generate expensive bills.

The reality: At the Consumption plan rate (approximately £0.000025 per action), a playbook with 15 actions running 500 times per day costs roughly £5.60 per month. A comprehensive automation stack with 10 playbooks averaging 20 actions each, all running on every incident, costs approximately £75 per month. Compare this to the analyst time saved: if automation reduces triage time by 5 minutes per alert × 500 alerts = 2,500 minutes = 41.6 hours per day. At an analyst salary of £50,000/year (£24/hour), that is £1,000/day of recovered analyst time for £75/month of Logic App cost. The ROI is not close.

The exception: playbooks that call expensive third-party APIs (VirusTotal Premium at £700/month, Shodan at £50/month) have external costs independent of Logic Apps. Budget API costs separately from Logic App execution costs.

Decision point: You are designing an enrichment playbook that queries 5 data sources: SigninLogs (KQL), user risk (Graph), device compliance (Graph), IP reputation (VirusTotal HTTP), and alert history (KQL). Should you run these queries sequentially or in parallel? Sequential execution takes 5 × average query time. Parallel execution takes the duration of the slowest query. If each query averages 3 seconds, sequential = 15 seconds, parallel = 3 seconds. Logic Apps support parallel branches — add all 5 queries as parallel actions, then use a “Compose” action after all branches complete to aggregate the results into a single enrichment comment. The playbook runs 5x faster. The trade-off: debugging parallel branches is harder than debugging sequential steps because the execution path is less linear. Start with sequential for your first playbook (easier to troubleshoot), then refactor to parallel once the logic is validated.

Try it: Explore the Logic App designer

If you have an Azure subscription (free tier works):

  1. Navigate to portal.azure.com → Logic Apps → Create
  2. Choose Consumption plan, name it “SA-Test-Explore,” select your resource group
  3. Open the designer. Search for “Microsoft Sentinel” and select the trigger “When Microsoft Sentinel incident is created”
  4. Click “+ New step.” Browse the available connectors. Find: Microsoft Graph, Teams, HTTP, Log Analytics
  5. Add an HTTP action. Set Method = GET, URI = https://graph.microsoft.com/v1.0/me. This will not work yet (no auth) — but you can see the structure
  6. Delete the Logic App when done (do not deploy test artifacts to production)

This exercise is about navigating the designer, not building a working playbook. SA1.4 builds the working playbook step by step.

You are building a playbook that enriches incidents with user risk data from Microsoft Graph. The playbook needs to call `https://graph.microsoft.com/v1.0/identityProtection/riskyUsers/{userId}`. What authentication method should you use?
Managed identity. The Logic App's system-assigned managed identity is granted "IdentityRiskyUser.Read.All" permission in Entra ID. The HTTP action uses "Managed Identity" authentication with audience "https://graph.microsoft.com". No credentials stored anywhere — Azure handles token acquisition automatically.
API key in the HTTP header. Microsoft Graph does not support API key authentication. Graph uses OAuth 2.0 — either delegated (user context) or application (service context). For automation, application permissions via managed identity are the correct approach.
Service principal with client secret stored in the Logic App definition. Storing secrets in the Logic App definition is a security risk — anyone with read access to the Logic App can see the secret. Use managed identity (no secret needed) or store secrets in Key Vault with Key Vault reference.
The Microsoft Graph connector (built-in). The built-in Graph connector uses delegated permissions (user context), which requires an interactive sign-in and does not work for automated workflows. For automation, use the HTTP action with managed identity and application permissions.

Where this goes deeper. SA1.4 builds your first production playbook step by step — every action, every expression, every configuration. SA1.5 covers authentication and permissions in depth — managed identity setup, Graph permission grants, Key Vault integration, and least-privilege design. SA1.7 covers error handling patterns that prevent silent failures.

Operational Artifact — Logic App Architecture Reference
The five-step pattern (trigger → extract → query → condition → act) and the connector list above are the architectural reference for every playbook in this course. When designing a new playbook, start with this pattern: what triggers it, what entities does it need, what data does it query, what conditions determine the action, and what action does it take. The pattern produces a clean, maintainable Logic App structure regardless of the specific automation it implements.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← SA1.1 Automation Rules — The Lightweight Layer SA1.3 Your First Automation Rule →