Forum Discussion

Stefanie Cortese's avatar
Stefanie Cortese
Copper Contributor
Feb 06, 2020

Email Alerts on New and Assigned Incidents

This is probably something simple but I would like to set-up the following:  1) Email alerts any time a new incident is auto generated  2) Email alert any time an incident is assigned     
  • CliveWatson's avatar
    Feb 07, 2020

    Stefanie Cortese 

     

    For Question 1, you could:

     

    1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook.   You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9.  This is my preferred option.


    You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only. 
    A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence"). 
    However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).

    sample logic, you may need different filtering or data displayed.

    SecurityAlert
    //| where TimeGenerated > ago(1h)
    | where ProductName == "Azure Sentinel"  
    | where AlertSeverity !="Informational"
    | project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId 
     
     
     

     



Resources