Forum Discussion
Stefanie Cortese
Feb 06, 2020Copper Contributor
Email Alerts on New and Assigned Incidents
This is probably something simple but I would like to set-up the following: 1) Email alerts any time a new incident is auto generated 2) Email alert any time an incident is assigned
- Feb 07, 2020
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).sample logic, you may need different filtering or data displayed.
SecurityAlert //| where TimeGenerated > ago(1h) | where ProductName == "Azure Sentinel" | where AlertSeverity !="Informational" | project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
GaryBushey
Jul 23, 2020Bronze Contributor
PrashTechTalk If you have the SubscriptionID, Resource Group name, Workspace ID (not the name), and the Alert ID you can call the "Get Incident" action from the Azure Sentinel connector to get the URL. It doesn't return it directly but it returns the information needed to get it.
PrashTechTalk
Jul 23, 2020Brass Contributor
GaryBushey Thanks for your response. I am using Get Incident to get all incident details but that does not provide full incident url nor does it give incident object id needed to form this URL. Either this is a feature enhancement to include incident object id or give a full incident url. I do not see any proprieties giving these details.. pls correct me if i am wrong and that any of the property related to incident can give this value.
- GaryBusheyJul 23, 2020Bronze Contributor
PrashTechTalk Yeah, you would need to extract that from the Body. Not sure why everything isn't exposed 😉 The good news is there is a private preview that will help alleviate this issue and it should be released soon.