Forum Discussion
Pranesh1060
Jan 27, 2020Brass Contributor
Assigning alerts/incidents in Sentinel to a specific team/user/group.
Hi Guys,
Is there a way to assign a particular incident coming in from different sources to a team/user/group instead of the admin going to the portal and assigning it to himself?
Considering our team size, the requirement is to have respective SMEs take care of the incidents coming from their respective sources. For eg: Incidents coming from MCAS to be assigned to XYZ, incidents coming from AADIP to ABC and so on either by using playbook or by any other means.
Also, is there a way to pin/export a dashboard of sorts to the homepage of Sentinel to see the number of incidents resolved/inprogress and new to be refreshed from time to time?
Thanking in anticipation
- GaryBusheyBronze Contributor
Pranesh1060 To answer your first question, unfortunately Playbooks can only be assigned to Scheduled rules so alerts that get generated from other sources like MCAS would not be able to trigger a Playbook (yet? Please, Microsoft. Make this happen!). You can trigger the Playbook from the Incident's full details page using the Alert tab but that is a manual process.
In regards to your second question, unfortunately there is not way to get the information you want into a Sentinel workbook since the Incident information is not stored in Log Analytics. I did write a blog post about how to load the information into PowerBI and from there you can create the reports you want. Not the best option but it might have to do for now. https://www.garybushey.com/2020/01/20/azure-sentinel-incidents-in-powerbi/
- Pranesh1060Brass Contributor
Hi Gary, thanks for your response. However when playbooks are getting triggered for a scheduled alert, is there a possibility to hard code the name of the administrator or a team directly? Like for every MCAS scheduled alert the incident owner should be me.
- GaryBusheyBronze Contributor
Pranesh1060 I wrote a quick blog post on how to do this using PowerShell, https://www.garybushey.com/2020/01/28/updating-an-incident-using-rest-calls-in-powershell/. There is no reason you could not iterate through all the Incidents, find those that are unassigned, determine which person/group it should go to, and then use the code in the blog post to make the changes and update the Incident.
You could have this run on a schedule using Azure Automation. While it will not automatically update your Incidents, they could be updated fairly quickly.
- Rod_Trent
Microsoft
For the Dashboard piece, you can pin a query or Workbook to the Azure Dashboards (the main Azure console dashboard), which would act as a quick view into open issues.
For the auto-assignment, have you looked at generating a Playbook (Logic App) to do this?