Forum Discussion
Sentinel incident playbook - get alert entities
Hi! My main task is to get all alerts (alerts, not incidents) from sentinel (analytics rules and Defender XDR) to external case management. For different reasons we need to do this on alert level. A...
Great job, thanks! Meantime i tried different ways and I came to the basically same solution. I just take whole alert from Alerts dynamic function and with KQL query get just entities.
Delay is at the beginning because it takes about 6-10 minutes to populate new incident with entitiy info.
For new incidents it seems to work now. But in some cases Sentinel updates old incident whichs alert has already been sent and new alert is not created. For example, for testing purposes i run specific executable on my machine which triggers custom detection rule on Defender. First time this playbook is triggered, but on the next execution only incident "updated" timestamp is renewed and new entity is added (process, because new PID). What 'incident update' trigger automation rule condition would you use in that case? Need only trigger again when same action happens again (new entity added or something), but not for incident status/owner/etc updates.
This is actually really valid question, in that case I would probably use some tracking variables and add the number of Entities flagged in the KQL, and then additional condition where Entities != to the ones previously flagged. Will try to test it out in my environment :)
Yeah, that should work for entities tracking. But in some cases event happens again, no new entities, only 'Last update time' is changed. In Defender XDR/sentinel incident will pop up on list, but as it does not create new alert then playbook is not triggered.
Not sure how it behaves when incident is closed after first investigation, does is reopen or create new?
It will create a new one if previous one was closed after investigation (if triggered by analytic rule there is an option there to re-open incidents which is off by default)