Forum Discussion
Email Alerts on New and Assigned Incidents
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).sample logic, you may need different filtering or data displayed.
SecurityAlert //| where TimeGenerated > ago(1h) | where ProductName == "Azure Sentinel" | where AlertSeverity !="Informational" | project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).
sample logic, you may need different filtering or data displayed.
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
CliveWatson Can you please explain more on how to write a Logic App with recurrence to get the alerts from sentinel ?
This was a blog I wrote (but didn't post); hopefully it will help https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/04/27/azure-sentinel-adding-the-query-data-to-an-alert-in-a-playbook/
CliveWatson - Is there a way on how to fetch full sentinel incident URL (not the entities url) at the logic apps to send it in an email or push incident details to a incident management tool.
I am trying to compose it manually as couldn't get the full incident URL but again unable to get he incident object id to amend in the URL. How can i achieve this ? Appreciate your response.
https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxx/resourceGroups/xxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxx/providers/Microsoft.SecurityInsights/Incidents/<?? Incident Object ID ??>
The only problem with the solution you propose is that AlertName etc are not aggregate to the sample rules that catches all the Azure Sentinel Alert.
The above was for Scheduled rules not "Incident creation rules". Is that what you mean?
No i was talking about Scheduled queries too. If i run a Scheduled query rule For example name TEST with the query sent:
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
In the email alert i will get always "TEST" as an AlertName, the rule name and not the underlying "Azure Sentinel" alert names. I don't know if there is a way to aggregate the Real Name and pass it to the email alert for e.g. Is it ?
