What’s new: Run playbooks on incidents on-demand going GA in unified platform

is a key facilitator for a SOC's ability to save time and let the team focus on what matters most. We are happy to announce that the ability to run a playbook on incidents on demand is now hitting GA!

Run playbooks as part of incident investigation and response

rules are incredibly useful for addressing tasks after an incident has been created. This can include identifying and closing false positives to reduce the noise of an incident queue, enriching an incident with , orchestrating the response to an incident across teams or taking quick action to mitigate a compromise such as a force reset of a password or isolating an endpoint from a

However, in many cases, teams prefer some tasks to be governed by human decision-making. For example, while investigating an incident, analysts may work with a list of remediation tasks. They might gather supporting information and correlate between multiple insights, leading them to take various actions at their discretion. Also, some SOCs would prefer their analysts to perform actions when needed, even if they can be fully automated, to ensure the right actions are taken every time.

Now, playbooks can become a tool that can also be used for manual decision making for Microsoft Sentinel customers in both the Azure and portals. With the ability to create a playbook that encapsulates the steps to respond to an incident, but only apply it on demand, there is a new flexibility for managing when action is taken. These playbooks can be stored in a dedicated resource group which your analysts have access to (or you can give them access to individual playbooks independently). While working on incidents, analysts can choose at any point to open the playbook side panel and launch a playbook from their list.

With this new ability, SOCs can better manage response, create more workflows for their team to ensure all the right actions are taken, and have more power to make a decision based on the context of an incident.

Now, the unified SOC operations platform can leverage the hundreds of playbook templates available within the content hub gallery, so you can start deriving value from as quickly as possible:


For more information on create a playbook from a playbook template, please visit the following link: https://learn.microsoft.com/en-us/azure/sentinel/automation/use-playbook-templates


If more specific logic is needed, you can create a playbook from scratch using our automation tab: Create -> Playbook with incident trigger:


For detailed instructions on creating an incident from scratch, please visit the following link: https://learn.microsoft.com/en-us/azure/sentinel/automation/create-playbooks?tabs=defender-portal%2C…


After creating the desired playbook, navigate to the Incidents page and select an incident. From the incident details pane that appears on the side, choose “Run Playbook.”



You'll see a list of all available playbooks; select the one you want to trigger.

For detailed instructions on triggering a playbook on demand, please visit the following link:

Automate and run Microsoft Sentinel playbooks | Microsoft Learn


This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.