New incident notification

Nicholas DiCola (SECURITY JEDI)- Many thanks for the reply. I managed to find a way around this actually, and it seems to be working pretty well. The solution I've put together is a logic app which runs on a schedule every 5 minutes and does the following:

1. It runs a Log Analytics query to get all Security Alerts generated for the last 5 minutes

SecurityAlert
| where TimeGenerated >= now(-5m)

There is a slight delay between the time the alert fires in it's respective solution (WDATP, MCAS, etc.) and the time it gets ingested in Log Analytics but so far, with this timespan configuration it hasn't missed any alert. Hopefully it won't going forward :).

2. For each value returned it gets the Azure Sentinel incident (where it finds a match) I had to manually specify the Subscription ID, Resource Group, and Workspace ID and used the dynamic value of SystemAlertId for the "Specify Alert id parameter". this is the only way I managed to get it working

3. It then creates a SNOW incident based on the values from the Get Incident in Sentinel

4. It gets the SNOW record

5. It sends an email containing the desired info

Here's a screenshot of the logic app. Hope it helps and looking forward for you guys to change the MSFT rules. As, going forward it would be nice to have a way to expand/create a logic app that when the status of the incident is set to closed in Sentinel it will automatically close the SNOW incident or at least the alert in it's respective product.