Forum Discussion
Pranesh1060
Jan 27, 2020Brass Contributor
Assigning alerts/incidents in Sentinel to a specific team/user/group.
Hi Guys, Is there a way to assign a particular incident coming in from different sources to a team/user/group instead of the admin going to the portal and assigning it to himself? Considering ou...
Pranesh1060
Jan 28, 2020Brass Contributor
Hi Gary, thanks for your response. However when playbooks are getting triggered for a scheduled alert, is there a possibility to hard code the name of the administrator or a team directly? Like for every MCAS scheduled alert the incident owner should be me.
GaryBushey
Jan 28, 2020Bronze Contributor
Pranesh1060 Yes and no. Yes, you can do it and no, it won't be easy. Unfortunately, as it stands right now, using the Logic App Sentinel connector you can change a lot of settings on the Incident including severity, status, labels, title and description but the person the incident is assigned to is not one of the fields (probably because of the need to pass in a GUID, see below).
You can do this using the REST API calls and there is a Logic App action to make this call. You would need to get the Incident in question using a REST call, modify the "owner" field under the "properties" field and then update the Incident. The hard part is that the "owner" field has 3 fields under it, "objectId" (which the the user's Azure AD GUID), "email", and "name". If you can get that GUID the rest should be easy.
I have a blog post on creating a Fusion rule that shows you what needs to be done to make a call into the REST API using a PUT call (see below). You can use most of that code just remember that you need to get the Incident first so that all the rest of the fields are filled in. Here is the code I used, making the substitutions as needed:
$uri = "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.OperationalInsights/workspaces/<workspace>/providers/Microsoft.SecurityInsights/cases/<case name>?api-version=2019-01-01-preview"
$body = (Invoke-RestMethod -Method "Get" -Uri $uri -Headers $authHeader )
$body.properties.owner.objectId = "<user guid>"
$body.properties.owner.email = "gary.bushey@nowhere.com"
$body.properties.owner.name = "Gary Bushey"
And then call the rest of the code to perform the PUT.
Blog post: Working with Analytics rules Part 3 – Create Fusion / ML Rule