Blink’s integration with Microsoft Sentinel, available through the Sentinel Content Hub, enables triggering workflows directly from Sentinel incidents / alerts. This allows organizations to respond to threats faster, reduce manual effort, and streamline their security operations with Blink’s no-code automation platform.
In Microsoft Sentinel, use the left-hand menu to go to Content management > Content hub. Search for Blink in the search bar, select the displayed solution, and click Install.
After the solution has been installed, click Manage.
Select the Playbook you want to add and click Configuration.
The following steps show how to create the Sentinel Incident Handler playbook. The same process applies to the Sentinel Alert Handler as well.
Click Create Playbook.
Insert Subscription and Resource group. Choose a name and click Next: Connections.
Choose a Microsoft Sentinel connection. Click Next: Review and create.
Click Create playbook
In the playbook designer, click Parameters.
Configure the Blink-Webhook-Full-URL parameter. Change the Default value to the Webhook Full URL you copied earlier from Blink.
Close the parameters configuration window and Click Save.
Next, we will create an automation rule that will trigger the workflow whenever an incident is created. Keep in mind that you can also create rules for new alerts.
In Microsoft Sentinel, use the left-hand menu to go to Configuration > Automation. Click Create > Automation Rule.
Configure the new rule:
Choose an informative rule name.
Choose the trigger type When incident is created (Other available options: When incident is updated / When alert is created).
Set Actions to Run playbook, and select the sentinel incident handler playbook.
Optional: set rule expiration date.
Click Apply.
After completing all the steps, Microsoft Sentinel incidents will automatically trigger your workflow in Blink.