SA1.11 Interactive Lab: Build Your First Playbook

Lab: Build and Deploy the Enrichment Playbook

In this lab, you build and deploy the SA-Playbook-Enrichment-First playbook from SA1.4, connect it to the automation rules from SA1.3, and validate the complete automation chain.

Part 1: Build the Automation Rules

Deploy the four automation rules from SA1.3:

1. AiTM Triage Acceleration (order 100)
2. Ransomware Severity Override (order 110)
3. Playbook Trigger for High/Critical (order 200)
4. CEO Travel FP Auto-Close (order 500)

Verify: create a test incident with title containing “AiTM.” Confirm severity changes to High and tag is applied.

Part 2: Build the Enrichment Playbook

Follow SA1.4 step by step:

1. Create the Logic App (Consumption plan)
2. Configure managed identity + permissions (Sentinel Responder + Log Analytics Reader)
3. Build the 6-action workflow: trigger → extract → query → comment → Teams → tag
4. Save and connect to automation rule (order 200)

Part 3: End-to-End Test

1. Create a test incident matching the playbook trigger conditions
2. Verify: Logic App run succeeds, enrichment comment appears, Teams message posted, tag updated
3. Check run history: note execution time and any warnings

Part 4: Add Monitoring

1. Enable diagnostic settings on the Logic App (send to Log Analytics workspace)
2. Create the health monitoring analytics rule from SA1.9
3. Verify: force a playbook failure (temporarily remove a permission) and confirm the monitoring alert fires
4. Restore the permission and confirm the playbook recovers

Self-Assessment

• All 4 automation rules deployed and validated
• Enrichment playbook built and successfully tested
• Managed identity configured with least-privilege permissions
• Teams notification received in SOC channel
• Monitoring analytics rule active and tested
• Logic App run history shows successful execution under 30 seconds