Forum Discussion
New incident notification
Hi,
I'm trying to get sentinel incident (Microsoft.SecurityInsights/Cases) properties (json body) on my api endpoint each time when new incident created in the system.
Microsoft.Graph allows you to subscribe on and manipulate with security alerts, but there is no way to get incident based on it alert.
Playbook allows me to get incident only for specific rule, but it should be manually integrated into each existing/new rule.
... and there is no Azure Sentinel API.
Is there a way to do so?
Thanks.
Today, the only way is to run a playbook for each rule. You could have 1 playbook that is used across all your rules.
We will eventually release APIs.
13 Replies
Today, the only way is to run a playbook for each rule. You could have 1 playbook that is used across all your rules.
We will eventually release APIs.
Nicholas DiCola (SECURITY JEDI) But what about the Microsoft Security rules like Create incidents based on Azure ATP alerts, or MCAS alerts. You can't attach a playbook to those. So how do you get it to automatically log a a SNOW incident lets say, or send an email whenever an Azure Sentinel incident of such type is created? Are you aware of any way to do this with the current functionality?
We are aware you can not call a playbook today. we plan to change that. in the short term if you must call a playbook then you would need to disable the MSFT rules and create scheduled rules for each product manually.
