Forum Discussion
Solved
Include Additional Entities Detail in Email
Hey all,
I am relatively new to Sentinel and I've run across a situation I can't seem to resolve. I've enabled the "SentinelIncident" automation rule and I've configured it to run the 'Send-email-with-formatted-incident-report' playbook. I am receiving the emails when incidents happen but the emails are missing some important details. For example, I occasionally get an email entitled " New Azure Sentinel incident - Atypical travel". In the Entities box at the bottom of this email there are 2 columns - Entity and Entity Type. For this type of incident the Entity column shows a GUID with an Entity Type of Account. Can I resolve the GUID to a user name or UPN so that it shows in the email? Without the user name I have to log into Azure to find out which user is responsible for the incident.
Related but probably more advanced, is there a way to give a geolocation for the IP addresses that also show in the Entities box. It would be helpful to know where the Atypical Travel was happening.
TIA
~dgm~
- Two options:
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
- Two options:
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that- I went off to begin digging into these details but then got sidetracked by other things, you know life. And now I've come back to this. I've got queries that pull the geolocation info and I am able to get the UPN data. But I'm not sure how to "amend the Playbook to run a new KQL query". I don't see an option in the Playbook editor for running a KQL query - am I just missing something?
- Great, thank you for the guidance. I'm digging into these options now.
