Forum Discussion
Notification of Incident Assignment
Two Questions:
1. When you assign a ticket to an individual from the Sentinel Incidents - Is there any inbuilt notification features or do most people do this through Playbooks?
2. Is there a document reference architecture for Incident Management in Azure Sentinel? For example, we would like to use native microsoft tooling (Boards,etc) vs. External ticketing flows.
Saif_Rahman If you have a NDA with Microsoft, see about joining the Azure Sentinel private previews. There is one there that would of interest to you regarding this issue.
We have a NDA in place - which one is this? GaryBushey
Saif_Rahman Not sure I am allowed to say as it is a private preview. But if you join there will be a listing of all the private previews and there will definitely be one that will stand out 🙂
The easiest way to do this is to set up a Logic App that runs on a schedule (every few minutes) and runs a query against the SecurityIncident table; have it look for a "recently modified" timestamp and new assignment; the result can then be e-mailed.
The "Incident" tooling itself is fairly minimal but seems to be growing as a workflow. I'm a big fan of tailoring workflows for the business and what makes the most sense for the SOC/analysts working the incident.
