Forum Discussion

Stefanie Cortese's avatar
Stefanie Cortese
Copper Contributor
Feb 06, 2020
Solved

Email Alerts on New and Assigned Incidents

This is probably something simple but I would like to set-up the following:  1) Email alerts any time a new incident is auto generated  2) Email alert any time an incident is assigned     
  • CliveWatson's avatar
    CliveWatson
    Feb 07, 2020

    Stefanie Cortese 

     

    For Question 1, you could:

     

    1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook.   You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9.  This is my preferred option.


    You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only. 
    A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence"). 
    However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).

    sample logic, you may need different filtering or data displayed.

    SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"  
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
     
     
     

     



CliveWatson's avatar
CliveWatson
Former Employee
Feb 07, 2020

Stefanie Cortese 

 

For Question 1, you could:

 

1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook.   You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9.  This is my preferred option.


You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only. 
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence"). 
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).

sample logic, you may need different filtering or data displayed.

SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"  
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
 
 
 

 



akefallonitis's avatar
akefallonitis
Brass Contributor
Apr 24, 2020

CliveWatson 

 

The only problem with the solution you propose is that AlertName etc are not aggregate to the sample rules that catches all the Azure Sentinel Alert.