Forum Discussion
New incident notification
Today, the only way is to run a playbook for each rule. You could have 1 playbook that is used across all your rules.
We will eventually release APIs.
Today, the only way is to run a playbook for each rule. You could have 1 playbook that is used across all your rules.
We will eventually release APIs.
Nicholas DiCola (SECURITY JEDI) But what about the Microsoft Security rules like Create incidents based on Azure ATP alerts, or MCAS alerts. You can't attach a playbook to those. So how do you get it to automatically log a a SNOW incident lets say, or send an email whenever an Azure Sentinel incident of such type is created? Are you aware of any way to do this with the current functionality?
We are aware you can not call a playbook today. we plan to change that. in the short term if you must call a playbook then you would need to disable the MSFT rules and create scheduled rules for each product manually.
Nicholas DiCola (SECURITY JEDI)- Many thanks for the reply. I managed to find a way around this actually, and it seems to be working pretty well. The solution I've put together is a logic app which runs on a schedule every 5 minutes and does the following:
1. It runs a Log Analytics query to get all Security Alerts generated for the last 5 minutes
SecurityAlert
| where TimeGenerated >= now(-5m)There is a slight delay between the time the alert fires in it's respective solution (WDATP, MCAS, etc.) and the time it gets ingested in Log Analytics but so far, with this timespan configuration it hasn't missed any alert. Hopefully it won't going forward :).
2. For each value returned it gets the Azure Sentinel incident (where it finds a match) I had to manually specify the Subscription ID, Resource Group, and Workspace ID and used the dynamic value of SystemAlertId for the "Specify Alert id parameter". this is the only way I managed to get it working
3. It then creates a SNOW incident based on the values from the Get Incident in Sentinel
4. It gets the SNOW record
5. It sends an email containing the desired info
Here's a screenshot of the logic app. Hope it helps and looking forward for you guys to change the MSFT rules. As, going forward it would be nice to have a way to expand/create a logic app that when the status of the incident is set to closed in Sentinel it will automatically close the SNOW incident or at least the alert in it's respective product.
Cristian Calinescu do you know how we can deal with empty subscription ids/workspace ids? Some of my System alerts (e.g from MCAS) don't have a subscription id and the Azure Sentinel- Get Incident action fails in that case. Also, I was using a similar logic app as you but instead of the Log Analytics connector I used the Microsoft Graph Security Connector to get the latest alerts. I'm not sure if it works the same way.
Thank you
