Create a Sentinel Incident based on an Email being received

Question

Hi All,&nbsp;I'm trying to create a logic app which will generate a Sentinel incident after an email is received with a specific subject line or body content. It doesn't look like there's a straight forward way of doing this as there's no action for Sentinel to create an incident.&nbsp;Any thoughts on how this could be achieved?&nbsp;Thanks in advance.

garybushey · Answer

Sam_SOC&nbsp;One way would be to use the REST API (still in preview) to create the Incident.&nbsp; You can go here to see some examples:&nbsp;https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents&nbsp;Keep in mind that the Machine Learning features of Azure Sentinel look at Alerts rather than Incidents so you may be better off creating a Logic App that can create an entry in a custom log (there is a Logic App Send Data action) based on the Email and then have an Analytic Rule create an Alert/Incident based on that custom log.

sam_soc · Answer

Rod_TrentHi Rod, it'll be from an O365 mailbox

rod_trent · Answer

Sam_SOC&nbsp;Where is the email being recorded/stored that you are capturing the text reference?

Forum Discussion

Create a Sentinel Incident based on an Email being received

3 Replies