Forum Discussion
Email Alerts on New and Assigned Incidents
- Feb 07, 2020
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).sample logic, you may need different filtering or data displayed.
SecurityAlert //| where TimeGenerated > ago(1h) | where ProductName == "Azure Sentinel" | where AlertSeverity !="Informational" | project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
No i was talking about Scheduled queries too. If i run a Scheduled query rule For example name TEST with the query sent:
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
In the email alert i will get always "TEST" as an AlertName, the rule name and not the underlying "Azure Sentinel" alert names. I don't know if there is a way to aggregate the Real Name and pass it to the email alert for e.g. Is it ?
What do you think is the 'real name'? If you run this, do you see a Column that matches the 'real name'? Can you send a screenshot of the column / field you mean please?
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
- akefallonitisApr 24, 2020Brass Contributor
Sent you a PM