Login
        Contents x
        Response Actions for Microsoft Sentinel
        • 16 Jul 2025
        • 1 Minute to read
        • PDF
        Contents

        Response Actions for Microsoft Sentinel

        • Updated on 16 Jul 2025
        • 1 Minute to read
        • PDF
        Article summary

        The Red Canary Automation interface provides the following response action for Microsoft Sentinel:

        Send Threat to Sentinel
        Automatically creates a corresponding incident in your Azure Sentinel workspace whenever a threat is published in Red Canary. The data is sent using Microsoft's Log Analytics API and includes a summary of the threat, the severity level, host/endpoint details, affected user accounts, and any relevant threat intelligence such as the MITRE ATT&CK classification.

        Security Incident Filtering

        Note that the Red Canary to Sentinel integration will recognize and filter out incidents created by this response action, keeping them from being re-ingested into your Red Canary portal.

        Prerequisites

        • You have the Global Administrator role in Azure

        • You know the ID for your Azure Log Analytics workspace and the shared API authentication key. You can locate these values as follows:

        1. Log in to your Azure Portal and navigate to your Log Analytics workspace.

        2. Go to Settings > Agents.

        3. From the Download agent section, copy the Workspace ID and the Primary key.

        Adding a Microsoft Sentinel Response Action to a Playbook

        To add the Sentinel response action to an Automate playbook:

        1. From the Red Canary portal navigation menu, select Automation > Playbooks.

        2. In the Playbooks section, open an existing Automate playbook or make a new one by clicking +Create New Playbook.

        3. Assign or edit the playbook name and description, then click +Add Action.

        4. From the Microsoft Sentinel section, add the action to the playbook.

        5. Enter the Azure Log Analytics workspace ID and shared key.

        6. [OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically-triggered executions.

        7. Click Save.

        Manually Executing the Response Action

        To execute the Sentinel response action manually:

        1. Open the playbook and click Run.

        2. Search for the threat in the dropdown list then click Run.

        3. Click the Follow along… link to view the results of the action.

          If you set the action to Require Approval, you’ll need to approve it before it can execute.

        Automatically Executing the Response Action

        To execute the Sentinel response action automatically, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout