⚠️Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules
⚠️The ability to invoke playbooks from analytics rules will be deprecated effective March 2026. Until then, playbooks already defined to be invoked from analytics rules will continue to run, but as of June 2023 you can no longer add playbooks to the list of those invoked from analytics rules
If you have already created and built playbooks to respond to alerts (rather than incidents), and attached them to analytics rules, we strongly encourage you to move these playbooks to automation rules.
## Why Should You Migrate?
So, you've already got your playbooks in place, and they're doing just fine with analytics rules. Why should you consider moving them to automation rules? Well, there are a few compelling reasons:
**1. Unified Management: ** Manage all your automations from a single display, regardless of type (“single pane of glass”).
**2. Efficiency: ** Define a single automation rule that can trigger playbooks for multiple analytics rules, instead of configuring each analytics rule independently.
**3. Control: ** You have the ability to define the order in which your alert playbooks are executed. You can also set an expiration date for running a playbook, supporting a wider range of scenarios.
📌One important thing to note here is that your playbook itself won't undergo any changes. What changes is the mechanism that invokes it to run.
## How to Migrate?
Now that we've covered why it's a good idea to make the switch, let's talk about the steps involved in the migration:
🔸Single-Rule Playbooks: If you’re migrating a playbook that's used by only one analytics rule, follow the instructions under https://learn.microsoft.com/en-us/azure/sentinel/migrate-playbooks-to-automation-rules#create-an-automation-rule-from-an-analytics-rule
🔸Multi-Rule Playbooks: If you’re migrating a playbook that's used by more than one analytics rule, follow the instructions under https://learn.microsoft.com/en-us/azure/sentinel/migrate-playbooks-to-automation-rules#create-a-new-automation-rule-from-the-automation-portal
Want to learn more?
MS Docs: Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules | Microsoft Learn
#microsoft #analytics #automation #microsoft365 #siem #xdr #microsoftsecurity #microsoftsentinel #azure #logicapps #playbooks #soar #MSPartnerUK #soc