Table of Contents
Why Can’t Microsoft Sentinel Playbooks Use Standard Logic App Triggers?
Pass AZ-500 exam by understanding why Microsoft Sentinel playbooks require specific Sentinel triggers. Learn the difference between standard Logic App triggers and the specialized incident/alert triggers used for security automation and response (SOAR).
Question
Logic Apps created for use in the Security Playbooks feature of Azure Sentinel may use any of the triggers available to the Logic Apps Premium SKU.
A. TRUE
B. FALSE
Answer
B. FALSE
Explanation
The correct answer is B. FALSE. For a Logic App to function as a security playbook within Microsoft Sentinel, it must be initiated by one of the dedicated, product-specific Microsoft Sentinel triggers, not just any trigger available to Logic Apps.
Only Azure Sentinel product-specific triggers may be used.
The Role of Sentinel-Specific Triggers
A “playbook” in Microsoft Sentinel is not just any Logic App; it is a Logic App specifically designed for Security Orchestration, Automation, and Response (SOAR). This requires a direct integration point, which is provided by the Sentinel triggers. These triggers are the mechanism that allows Sentinel to invoke the automation workflow and pass critical security context to it.
- Incident Trigger: The most common trigger is Microsoft Sentinel incident. This allows the playbook to be automatically initiated when a new incident is created or updated. It passes the full incident object, including all its entities and alerts, to the Logic App.
- Alert Trigger: Another trigger is When a response to a Microsoft Sentinel alert is triggered. This is used for playbooks that are run manually by an analyst on a specific alert.
- Entity Trigger: The Microsoft Sentinel Entity trigger allows a playbook to be run manually against a specific entity (like an IP address, user account, or host) from within the investigation graph or entity pages.
Why Standard Logic App Triggers Are Incompatible
Standard Logic App triggers, such as “When an HTTP request is received,” “Recurrence,” or “When a new file is created,” operate independently of Sentinel’s security context.
- Lack of Context: A standard trigger has no awareness of a Sentinel incident or its associated entities. The automation rule engine within Sentinel, which is responsible for invoking playbooks, can only attach to Logic Apps that start with a compatible Sentinel trigger.
- Invocation Method: Sentinel’s automation rules are designed to look for playbooks that are “listening” for Sentinel events. If a Logic App starts with a different trigger, Sentinel’s automation engine cannot see it as a valid playbook to run in response to an incident.
While the actions within the playbook can use any of the hundreds of connectors available in Logic Apps (e.g., to block an IP in Azure Firewall, disable a user in Azure AD, or create a ticket in ServiceNow), the starting point of the workflow must be one of the dedicated Sentinel triggers. This is what fundamentally distinguishes a generic Logic App from a Sentinel security playbook.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.