Microsoft Sentinel Automation Rules and Playbooks: How to Automate Incident Response Without a Full SOAR

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Most Sentinel deployments are configured for detection but not automation. Analysts manually triage every incident, manually look up user context, and manually take response actions. For a team with 100 daily incidents, manual triage consumes most of the analyst day. Automation rules and playbooks eliminate the manual steps that do not require human judgment -- closing known-false-positive signatures automatically, enriching every incident with user and device context, and escalating high-severity incidents to response channels. This guide builds three automations that provide immediate efficiency gains.
Automation Rules: The No-Code First Layer
Automation rules run before a playbook and can take immediate action on incidents without a Logic Apps execution. Create them in Sentinel > Automation > Create > Automation Rule. Useful automation rules that require no code: Auto-close low-fidelity incidents from specific rules -- if you have an analytic rule that generates frequent false positives and you have not yet tuned it, create an automation rule that closes incidents from that specific rule with status 'False Positive' and a note explaining why. This prevents analyst queue pollution while the rule is being tuned. Change severity based on entity context -- if an incident involves a user in your 'High Priority Executives' watchlist, automatically raise severity to High regardless of the base rule severity. Add an owner based on incident source -- route cloud incidents to the cloud security team, endpoint incidents to the endpoint team, using automation rules to assign ownership immediately on creation. Automation rules are evaluated in order (by priority) and can include up to 50 conditions per rule using AND/OR logic.
Playbook 1: User Entity Enrichment
The most universally useful playbook enriches every incident with context about the user entity involved. Build in Logic Apps: Trigger: Sentinel incident trigger (When Azure Sentinel incident creation rule was triggered). Action 1: Get Entities - Accounts (Sentinel built-in connector). Action 2: For each account entity, call the Microsoft Graph API to get user details: GET https://graph.microsoft.com/v1.0/users/{UserPrincipalName}?$select=displayName,jobTitle,department,manager,accountEnabled,lastPasswordChangeDateTime,signInSessionsValidFromDateTime. Action 3: Add a comment to the Sentinel incident with the enrichment data -- department, job title, manager name, whether the account is enabled, last password change date. Action 4: If accountEnabled=false, auto-close as False Positive (disabled accounts cannot sign in). This playbook transforms every incident from 'user JSmith triggered alert' to 'Jane Smith, Finance Manager, reports to CFO, account enabled, password changed 2 years ago' -- context that informs triage decisions immediately. Connect the playbook to an automation rule that runs it on every incident.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Playbook 2: High-Severity Incident Notification
Create a playbook that alerts the security team via Microsoft Teams when a high-severity incident is created. Trigger: Sentinel incident trigger. Condition: if incident severity = High or Critical. Action: Post a Teams adaptive card to the security team channel with: incident name and description, severity and confidence, affected user and host entity names, link to the Sentinel incident for investigation, and two action buttons ('Acknowledge' and 'Escalate to CISO'). When an analyst clicks Acknowledge in Teams, another Logic Apps flow marks the incident as Active and assigns it to the acknowledging analyst (using the Teams approval action to capture the responding user identity). This replaces email alert chains with a structured Teams workflow where every high-severity incident has a documented acknowledgment and owner. The Teams adaptive card can be sent within seconds of incident creation -- faster than any manual monitoring workflow.
Playbook 3: Automated Device Isolation on Confirmed Compromise
For incidents where an analyst confirms device compromise (typically after reviewing evidence and escalating the incident to Active status with the 'True Positive' label), create a playbook that calls the Microsoft Defender for Endpoint API to isolate the device with one click. Trigger: Sentinel incident trigger when Status = Active AND Classification = TruePositive AND Severity = High. Action 1: Get Entities - Hosts (extract the device entity from the incident). Action 2: Call the MDE API: POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/isolate with body {"Comment":"Isolated via Sentinel playbook due to confirmed compromise", "IsolationType":"Full"}. The playbook needs a managed identity or service principal with the Machine.Isolate application permission in MDE. Action 3: Post a Teams notification confirming the isolation action was taken, including the machine name and time of isolation. This converts a manual 5-step process (find the device in MDE, look up the machine ID, call the API, confirm isolation, log the action) into a single classification step in Sentinel. The isolation action should be triggered by analyst confirmation (incident reclassification), not automatically on alert creation -- you do not want to isolate devices on false positive incidents.
Permissions, Testing, and Cost
Playbooks run as Logic Apps with either a Managed Identity (recommended) or a service principal. The Managed Identity needs: Microsoft Sentinel Responder role (to add comments and update incidents), Graph API User.Read.All (for user enrichment), MDE Machine.Isolate (for device isolation), and whatever permissions specific actions require. Assign the Managed Identity permissions in the Azure portal IAM settings for each resource. Testing: use the Sentinel playbook test feature (Run playbook on a test incident) before linking to live automation rules. Check the Logic Apps run history for errors and execution details. Cost: Logic Apps consumption tier charges per action execution. A user enrichment playbook running on 100 incidents per day with 5 actions each costs approximately $0.005 per execution -- roughly $2.50 per month for 100 daily incidents. Device isolation playbooks that run less frequently cost pennies per month. Sentinel automation is extremely cost-effective compared to dedicated SOAR licensing.
The bottom line
Sentinel automation rules and playbooks provide meaningful SOAR capability at low cost and with no additional platform licensing. Start with three automations: auto-enrichment of user entities on every incident, Teams notification for high-severity incidents, and analyst-triggered device isolation. These three automations address the highest-volume manual tasks for most Sentinel teams and can be built in a day. After deploying them, measure analyst time spent per incident before and after -- most teams see a 30 to 50 percent reduction in triage time for the automated incident types.
Frequently asked questions
What is the difference between an automation rule and a playbook?
Automation rules are lightweight, no-code actions that run directly in Sentinel and take effect immediately on incident creation or update: change severity, change status, assign owner, add tasks, or run a playbook. They do not have conditional logic beyond their trigger conditions, and they do not call external APIs. Playbooks are Azure Logic Apps workflows with full conditional logic, loops, and the ability to call any API or use any Logic Apps connector. They are invoked by automation rules when external actions (API calls, notifications, ITSM tickets) are needed. Use automation rules for simple property changes and routing; use playbooks for enrichment, notification, and response actions.
Can Sentinel playbooks automatically disable a user account?
Yes. A playbook can call the Microsoft Graph API PATCH https://graph.microsoft.com/v1.0/users/{id} with body {"accountEnabled": false} to disable a user account. The Logic Apps managed identity needs the User.ReadWrite.All Graph API application permission. For high-privilege accounts (admins, Global Admins), consider requiring a second analyst approval before the disable action executes -- an automation that accidentally disables a break-glass account can cause a significant operational impact. Use a Teams approval step before disabling admin-tier accounts.
What are Sentinel analytics rule templates and how do they relate to automation?
Microsoft provides hundreds of analytics rule templates in the Sentinel Content Hub -- pre-built KQL detection rules for Microsoft 365, Azure, and third-party data sources. These templates create incidents that can then be targeted by automation rules. The recommended workflow: install relevant analytics rule templates from Content Hub, enable the rules you want to monitor, create automation rules that trigger on specific rule names, and build playbooks for the enrichment and response actions those rules require. The MITRE ATT&CK mapping in each template helps you pair the right response playbook to each detection category.
How do I test a Sentinel playbook before deploying it to production?
From the Sentinel Automation blade, select any existing incident and use 'Run playbook' to manually trigger the playbook against that incident. This executes the full playbook with live data from the selected incident. Check the Logic Apps run history in the Azure portal (Logic Apps > your playbook app > Runs history) to see the execution details, each step's input/output, and any errors. For destructive actions (disable account, isolate device), test in a dev environment or against test accounts before enabling automation-rule-triggered execution in production. Add a condition at the start of response playbooks that checks whether the incident is in a test workspace or has a specific tag before taking disruptive actions.
Can Sentinel playbooks enrich incidents with threat intelligence from external feeds?
Yes. A playbook triggered on incident creation can extract IP addresses or file hashes from the incident entities, query external threat intelligence APIs (VirusTotal, MISP, Recorded Future, AbuseIPDB), and write the results back to the incident as comments or custom fields using the Sentinel Logic Apps connector's 'Add comment to incident' action. The Logic Apps HTTP connector handles REST API calls. For IP reputation: query AbuseIPDB or Shodan and attach the confidence score and abuse category. For file hashes: query VirusTotal and attach the detection ratio. Enrichment happens automatically on every new incident, giving analysts context before they open the case.
What is the difference between a Sentinel automation rule and a playbook, and when should each be used?
Automation rules and playbooks work at different layers of the automation stack. Automation rules are lightweight, built-in Sentinel logic that execute instantly without external dependencies: they can assign severity, change incident status, add tags, assign owners, and trigger a playbook. They are evaluated in priority order for every incident and are the correct tool for fast, deterministic incident routing -- 'all High incidents from this data connector go to this owner.' Playbooks are Azure Logic Apps workflows that can perform complex multi-step actions involving external systems: calling a REST API, sending a Teams or email notification, querying a CMDB, creating a ServiceNow ticket, or blocking a user in Entra ID. Playbooks run asynchronously and can take minutes to complete. They are the correct tool for actions requiring external connectivity or branching logic. The typical pattern: an automation rule fires on incident creation, performs instant triage (assigns severity, adds tags), and triggers a playbook for enrichment and notification. Automation rules can also suppress playbook execution (close the incident first) to prevent alert fatigue during known maintenance windows.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
