Forum Discussion
Detailed Email Alerts
One area that I haven't seen covered is how to get more detail into email alerts that may be generated as the result of a playbook execution. You can get basic alert information but no information on the event data.
I configured this playbook which will run the query that is part of the analytic rule and send those in an email formatted as an HTML table.
This is the JSON schema:
{
"properties": {
"Query": {
"type": "string"
},
"Query End Time UTC": {
"type": "string"
},
"Query Period": {
"type": "string"
},
"Query Results Aggregation Kind": {
"type": "string"
},
"Query Start Time UTC": {
"type": "string"
},
"Search Query Results Overall Count": {
"type": "string"
},
"Total Account Entities": {
"type": "string"
},
"Total Host Entities": {
"type": "string"
},
"Total URL Entities": {
"type": "string"
},
"Trigger Operator": {
"type": "string"
},
"Trigger Threshold": {
"type": "string"
}
},
"type": "object"
}Hope this is helpful for some of you.
7 Replies
- did you find the reason why the error was generated? I'm running into the same.
GraceAA A couple of things
1) Put in a time delay for 5-10 seconds between the trigger and when you load the incident. There is sometimes brief delay creating the incident.
2) Rewrite the playbook to use to the Incident trigger that gets used with the new Azure Sentinel Automation features. All the alert and incident information will still be available (although there may be some name changes)
- Two basic articles about email with Azure Sentinel alert:
- https://azsec.azurewebsites.net/2020/01/19/notify-azure-sentinel-alert-to-your-email-automatically/
- https://azsec.azurewebsites.net/2020/01/19/parse-extendedproperty-in-azure-sentinel-alert-for-logic-app-use/
These give you step-by-step guidance and sample HTML format.
