Forum Discussion
Retrieve recent sign-in logs and output to an email
Hello,
For me, automation in Sentinel is so unnecessarily complicated and feels like it requires developer level knowledge. It’s quite frustrating.
I am trying to accomplish the following task and was hoping for some assistance.
Sometimes I receive an “atypical travel” or “unfamiliar sign-in” alert. The entities will be a user account and a few different IP addresses. What’s frustrating, is they are FAILED sign-ins….password guess incorrect. Unfortunately, I have to log in to find that out which is a waste of time and leads me to my next question….
In order to make it easier for me to determine if it’s a false positive, without having to log into a computer and investigate, we would like a playbook to run that will take the user account listed in the sentinel incident, retrieve the last 7 days worth of sign-in logs from Azure for said user, output them to an email and send it via email with the alert.
Even if it’s the exported CSV file.
that way, from my mobile phone , I can check and see if it’s a false positive pretty quickly.
does anyone know how to accomplish this? I’ve read about JSON files and all this other stuff. I’ve tried various things and nothing works.
thank you very much for your time!
There is another way, I noticed you said "What’s frustrating, is they are FAILED sign-ins….password guess incorrect...". You can add an Automation Rule to run another query to filter out those exceptions. The correlation rule would be a start, but you will need some KQL knowledge to adapt it.
You then send an email after that rule is run, which will only show whats leftThere is some good content is Module 9 of the Sentinel training Become a Microsoft Sentinel Ninja: The complete level 400 training - Microsoft Community Hub
There is a similar walk through (for another Incident) which is a close match to your original ask. Using Sentinel to automatically respond to identity alerts – Microsoft Sentinel 101 (learnsentinel.blog)
