Forum Discussion
Assigning alerts/incidents in Sentinel to a specific team/user/group.
Hi Gary, thanks for your response. However when playbooks are getting triggered for a scheduled alert, is there a possibility to hard code the name of the administrator or a team directly? Like for every MCAS scheduled alert the incident owner should be me.
Pranesh1060 I wrote a quick blog post on how to do this using PowerShell, https://www.garybushey.com/2020/01/28/updating-an-incident-using-rest-calls-in-powershell/. There is no reason you could not iterate through all the Incidents, find those that are unassigned, determine which person/group it should go to, and then use the code in the blog post to make the changes and update the Incident.
You could have this run on a schedule using Azure Automation. While it will not automatically update your Incidents, they could be updated fairly quickly.