Forum Discussion

Bhavini's avatar
Bhavini
Copper Contributor
Jun 08, 2023

Sentinel Automation Requirements

Hi Team,

Please help to checking feasibility for the following use case:

    • Create an automation to email users when their failed logins exceed a specific threshold (using SecurityEvent log). Please note that we want the automation to be based off of security alerts, not incidents.
    • After the user responded saying that they didn’t attempt to log in, or if we don’t hear back from them for a specific period, then we’ll generate an incident in Sentinel
automation
KQL
playbooks
  • cyb3rmik3's avatar
    cyb3rmik3
    Iron Contributor
    Jun 09, 2023

    Hi Bhavini,

     

    the oversimplified answer would be:

    1. Build the analytics query (KQL) matching your requirements with regards to failed logins.
    2. Create an analytics rule in order to create an alert, based on your analytic.
    3. Create a playbook based on your analytic rule, which will incorporate adaptive cards for Teams.
    4. User will receive a Teams notification/card where she/he will have to confirm activity.
    5. Upon response, playbook will either create an incident, or close the alert.

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please consider giving it a like

      • cyb3rmik3's avatar
        cyb3rmik3
        Iron Contributor
        Jun 22, 2023

        Bhavini hey, there are no pre-defined options under Sentinel in playbooks for this, so I guess Graph API is the best way to build this.

Resources