Forum Discussion
Automate Incident Timeline Into Report
Hello All, My organization is currently working to stand up Sentinel as well as creating our incident timeline reporting strategy. We are looking to automate as much as possible within Sentinel, ...
The KQL needed would be something based on this
SecurityIncident
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
) on $left.AlertIds == $right.SystemAlertId
| summarize AlertCount=dcount(AlertIds), entityList=make_set(tostring(AlertEntities.Type)) by IncidentNumber, Status, Severity, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , Tactics =tostring(AdditionalData.tactics), tostring(Labels),tostring(Comments), tostring(Labels)
// set column order
| project IncidentNumber, Severity, Status, AlertCount,Owner, Title, Alerts, entityList, Tactics, IncidentUrl, Comments, Labels
| order by IncidentNumber desc
You'd probably insert a new line 2 to filter the Incident from the Playbook data.
SecurityIncident
| where IncidentNumber =="12345"
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)
...
There are some pdf add-ins for Playbooks, which I've seen used to then take this output and email to the person.
High Level idea
Recurrence trigger --> "Run Query and visualize results" --> use a convert to pdf option supported by Logic Apps - Send via email
This is great! Thank you for your help!