You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/automation/create-playbooks.md
+7-13Lines changed: 7 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to create and manage Microsoft Sentinel playbooks to auto
4
4
author: batamig
5
5
ms.author: bagol
6
6
ms.topic: how-to
7
-
ms.date: 04/17/2024
7
+
ms.date: 05/30/2024
8
8
appliesto:
9
9
- Microsoft Sentinel in the Azure portal
10
10
- Microsoft Sentinel in the Microsoft Defender portal
@@ -211,23 +211,17 @@ Do the following steps:
211
211
212
212
1. Before the first action that refers to the **Incident ARM ID** field, add a **Condition** step.
213
213
214
-
1.Select the **Choose a value** field and enter the **Add dynamic content** dialog.
214
+
1.On the side, select the **Choose a value** field to enter the **Add dynamic content** dialog.
215
215
216
-
1. Select the **Expression** tab and the **length(collection)**function.
216
+
1. Select **Incident ARM ID (Optional)**, and the **is not equal to**operator.
217
217
218
-
1. Select the **Dynamic content**tab and the **Incident ARM ID**field.
218
+
1. Select **Choose a value**again to enter the **Add dynamic content**dialog.
219
219
220
-
1.Verify the resulting expression is `length(triggerBody()?['IncidentArmID'])`and select **OK**. For example:
220
+
1.Select the **Expression** tab and **null** function.
221
221
222
-
:::image type="content" source="../media/playbook-triggers-actions/condition-incident-id.png" alt-text="Screenshot of dynamic content dialog to select fields for a playbook condition.":::
223
-
224
-
1. Set the **operator** and **value** in the condition to **is greater than** and **0**. For example:
225
-
226
-
:::image type="content" source="../media/playbook-triggers-actions/condition-length.png" alt-text="Screenshot of final definition of condition described in the previous screenshot.":::
227
-
228
-
1. In the **True** frame, add the actions to be taken if the playbook is run from an incident context.
222
+
For example:
229
223
230
-
In the **False** frame, add the actions to be taken if the playbook is run from a nonincident context.
224
+
:::image type="content" source="../media/create-playbooks/no-incident-id.png" alt-text="Screenshot of the extra condition to add before the Incident ARM ID field.":::
0 commit comments