Forum Discussion
Creating a playbook with actionable message for end users
Hi,
Has anyone tried to create a playbook in Sentinel with workflow to send an actionable message to the end user to get them to confirm if they completed an action which triggered an alert/incident? We would like to see if we can reduce the SIEM events to our service desk by asking the end user to confirm actions undertaken.
If they do not reply within 1 hour or if they reply as No then the incident will be raised. The nice thing about actionable message is the requirement for the end-user to authenticate plus we can add MFA validate it is the user and not someone else.
Regards
Mike
- I've seen it done - for Impossible Travel if I remember correctly. They also considered looking up the Manager in Entra ID (AAD) and informing them as a parallel check, also they excluded High priority events. e.g. was the manager aware they were traveling / on vacation etc...
You'll also probably need some anomaly detection to see if you see high closure rates or spikes per user or alert, and to track these, maybe in a Workbook or better still a daily report/secondary Alert.- Hi Clive, have you seen any examples in Github for the Azure web service required to manage the process?
The one I saw was all done from within the Playbook using a condition check - one example
1. If Alert fires - "send email to user" + lookup and "email manager", else "do nothing" (I think they actually wrote the state to a Teams channel at the time, plus "updated" the Incident.
2. Then the task waits for the user / manager to respond
I dont recall if they had your "wait 1 hr" accounted for. It was at least 3years ago!
Good luck with this, I suspect most users wont reply within the time window you set, without some training or penalty
