Forum Discussion

Bhavini's avatar
Bhavini
Copper Contributor
Jun 08, 2023

Sentinel Automation Requirements

Hi Team, Please help to checking feasibility for the following use case: Create an automation to email users when their failed logins exceed a specific threshold (using SecurityEvent log). Please...
automation
KQL
playbooks
cyb3rmik3's avatar
cyb3rmik3
MVP
Jun 09, 2023

Hi Bhavini,

 

the oversimplified answer would be:

  1. Build the analytics query (KQL) matching your requirements with regards to failed logins.
  2. Create an analytics rule in order to create an alert, based on your analytic.
  3. Create a playbook based on your analytic rule, which will incorporate adaptive cards for Teams.
  4. User will receive a Teams notification/card where she/he will have to confirm activity.
  5. Upon response, playbook will either create an incident, or close the alert.

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

  • Bhavini's avatar
    Bhavini
    Copper Contributor
    Jun 12, 2023

    cyb3rmik3 How can we create 5th step. Could you please guide?

    • cyb3rmik3's avatar
      cyb3rmik3
      MVP
      Jun 22, 2023

      Bhavini hey, there are no pre-defined options under Sentinel in playbooks for this, so I guess Graph API is the best way to build this.

Resources