Forum Discussion
Email Alerts on New and Assigned Incidents
- Feb 07, 2020
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).sample logic, you may need different filtering or data displayed.
SecurityAlert //| where TimeGenerated > ago(1h) | where ProductName == "Azure Sentinel" | where AlertSeverity !="Informational" | project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
The only problem with the solution you propose is that AlertName etc are not aggregate to the sample rules that catches all the Azure Sentinel Alert.
The above was for Scheduled rules not "Incident creation rules". Is that what you mean?
- akefallonitisApr 24, 2020Brass Contributor
No i was talking about Scheduled queries too. If i run a Scheduled query rule For example name TEST with the query sent:
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
In the email alert i will get always "TEST" as an AlertName, the rule name and not the underlying "Azure Sentinel" alert names. I don't know if there is a way to aggregate the Real Name and pass it to the email alert for e.g. Is it ?- CliveWatsonApr 24, 2020Microsoft
What do you think is the 'real name'? If you run this, do you see a Column that matches the 'real name'? Can you send a screenshot of the column / field you mean please?
SecurityAlert //| where TimeGenerated > ago(1h) | where ProductName == "Azure Sentinel"
- akefallonitisApr 24, 2020Brass Contributor
Sent you a PM