SOLVED
Home

New incident notification

%3CLINGO-SUB%20id%3D%22lingo-sub-1005577%22%20slang%3D%22en-US%22%3ENew%20incident%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005577%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI'm%20trying%20to%20get%20sentinel%20incident%20(Microsoft.SecurityInsights%2FCases)%20properties%20(json%20body)%20on%20my%20api%20endpoint%20each%20time%20when%20new%20incident%20created%20in%20the%20system.%3C%2FP%3E%3CP%3EMicrosoft.Graph%20allows%20you%20to%20subscribe%20on%20and%20manipulate%20with%20security%20alerts%2C%20but%20there%20is%20no%20way%20to%20get%20incident%20based%20on%20it%20alert.%3C%2FP%3E%3CP%3EPlaybook%20allows%20me%20to%20get%20incident%20only%20for%20specific%20rule%2C%20but%20it%20should%20be%20manually%20integrated%20into%20each%20existing%2Fnew%20rule.%3C%2FP%3E%3CP%3E...%20and%20there%20is%20no%20Azure%20Sentinel%20API.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20do%20so%3F%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015756%22%20slang%3D%22en-US%22%3ERe%3A%20New%20incident%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456591%22%20target%3D%22_blank%22%3E%40kastromatos%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%2C%20the%20only%20way%20is%20to%20run%20a%20playbook%20for%20each%20rule.%26nbsp%3B%20You%20could%20have%201%20playbook%20that%20is%20used%20across%20all%20your%20rules.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20will%20eventually%20release%20APIs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1023919%22%20slang%3D%22en-US%22%3ERe%3A%20New%20incident%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023919%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3B%3CSPAN%3EBut%20what%20about%20the%20Microsoft%20Security%20rules%20like%20Create%20incidents%20based%20on%20Azure%20ATP%20alerts%2C%20or%20MCAS%20alerts.%20You%20can't%20attach%20a%20playbook%20to%20those.%20So%20how%20do%20you%20get%20it%20to%20automatically%20log%20a%20a%20SNOW%20incident%20lets%20say%2C%20or%20send%20an%20email%20whenever%20an%20Azure%20Sentinel%20incident%20of%20such%20type%20is%20created%3F%3C%2FSPAN%3E%20Are%20you%20aware%20of%20any%20way%20to%20do%20this%20with%20the%20current%20functionality%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024014%22%20slang%3D%22en-US%22%3ERe%3A%20New%20incident%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024014%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193664%22%20target%3D%22_blank%22%3E%40Cristian%20Calinescu%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20aware%20you%20can%20not%20call%20a%20playbook%20today.%26nbsp%3B%20we%20plan%20to%20change%20that.%26nbsp%3B%20in%20the%20short%20term%20if%20you%20must%20call%20a%20playbook%20then%20you%20would%20need%20to%20disable%20the%20MSFT%20rules%20and%20create%20scheduled%20rules%20for%20each%20product%20manually.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1025491%22%20slang%3D%22en-US%22%3ERe%3A%20New%20incident%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1025491%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E-%20Many%20thanks%20for%20the%20reply.%20I%20managed%20to%20find%20a%20way%20around%20this%20actually%2C%20and%20it%20seems%20to%20be%20working%20pretty%20well.%20The%20solution%20I've%20put%20together%20is%20a%20logic%20app%20which%20runs%20on%20a%20schedule%20every%205%20minutes%20and%20does%20the%20following%3A%3C%2FP%3E%3CP%3E1.%20It%20runs%20a%20Log%20Analytics%20query%20to%20get%20all%20Security%20Alerts%20generated%20for%20the%20last%205%20minutes%3C%2FP%3E%3CP%3ESecurityAlert%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20now(-5m)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20slight%20delay%20between%20the%20time%20the%20alert%20fires%20in%20it's%20respective%20solution%20(WDATP%2C%20MCAS%2C%20etc.)%20and%20the%20time%20it%20gets%20ingested%20in%20Log%20Analytics%20but%20so%20far%2C%20with%20this%20timespan%20configuration%20it%20hasn't%20missed%20any%20alert.%20Hopefully%20it%20won't%20going%20forward%20%3A).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20For%20each%20value%20returned%20it%20gets%20the%20Azure%20Sentinel%20incident%20(where%20it%20finds%20a%20match)%20I%20had%20to%20manually%20specify%20the%20Subscription%20ID%2C%20Resource%20Group%2C%20and%20Workspace%20ID%20and%20used%20the%20dynamic%20value%20of%20SystemAlertId%20for%20the%20%22Specify%20Alert%20id%20parameter%22.%20this%20is%20the%20only%20way%20I%20managed%20to%20get%20it%20working%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20It%20then%20creates%20a%20SNOW%20incident%20based%20on%20the%20values%20from%20the%20Get%20Incident%20in%20Sentinel%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20It%20gets%20the%20SNOW%20record%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.%20It%20sends%20an%20email%20containing%20the%20desired%20info%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20a%20screenshot%20of%20the%20logic%20app.%20Hope%20it%20helps%20and%20looking%20forward%20for%20you%20guys%20to%20change%20the%20MSFT%20rules.%20As%2C%20going%20forward%20it%20would%20be%20nice%20to%20have%20a%20way%20to%20expand%2Fcreate%20a%20logic%20app%20that%20when%20the%20status%20of%20the%20incident%20is%20set%20to%20closed%20in%20Sentinel%20it%20will%20automatically%20close%20the%20SNOW%20incident%20or%20at%20least%20the%20alert%20in%20it's%20respective%20product.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20662px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158445i9CEA73B4D9A97573%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture2.PNG.jpg%22%20title%3D%22Capture2.PNG.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20636px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158447i80B4720623AAD5F0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture1.PNG%22%20title%3D%22Capture1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1025851%22%20slang%3D%22en-US%22%3ERe%3A%20New%20incident%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1025851%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193664%22%20target%3D%22_blank%22%3E%40Cristian%20Calinescu%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20great.%26nbsp%3B%20you%20should%20contribute%20this%20playbook%20to%20the%20github.%26nbsp%3B%20if%20you%20need%20some%20help%2C%20i%20am%20happy%20to%20help%20you%20do%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1042294%22%20slang%3D%22en-US%22%3ERe%3A%20New%20incident%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1042294%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193664%22%20target%3D%22_blank%22%3E%40Cristian%20Calinescu%3C%2FA%3E%26nbsp%3Bdo%20you%20know%20how%20we%20can%20deal%20with%20empty%20subscription%20ids%2Fworkspace%20ids%3F%20Some%20of%20my%20System%20alerts%20(e.g%20from%20MCAS)%20don't%20have%20a%20subscription%20id%20and%20the%20Azure%20Sentinel-%20Get%20Incident%20action%20fails%20in%20that%20case.%20Also%2C%20%26nbsp%3BI%20was%20using%20a%20similar%20logic%20app%20as%20you%20but%20instead%20of%20the%20Log%20Analytics%20connector%20I%20used%20the%20Microsoft%20Graph%20Security%20Connector%20to%20get%20the%20latest%20alerts.%20I'm%20not%20sure%20if%20it%20works%20the%20same%20way.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E
kastromatos
New Contributor

Hi,

I'm trying to get sentinel incident (Microsoft.SecurityInsights/Cases) properties (json body) on my api endpoint each time when new incident created in the system.

Microsoft.Graph allows you to subscribe on and manipulate with security alerts, but there is no way to get incident based on it alert.

Playbook allows me to get incident only for specific rule, but it should be manually integrated into each existing/new rule.

... and there is no Azure Sentinel API.

 

Is there a way to do so?

Thanks.

10 Replies
Solution

@kastromatos 

Today, the only way is to run a playbook for each rule.  You could have 1 playbook that is used across all your rules.

 

We will eventually release APIs.

@Nicholas DiCola (SECURITY JEDI) But what about the Microsoft Security rules like Create incidents based on Azure ATP alerts, or MCAS alerts. You can't attach a playbook to those. So how do you get it to automatically log a a SNOW incident lets say, or send an email whenever an Azure Sentinel incident of such type is created? Are you aware of any way to do this with the current functionality?

@Cristian Calinescu 

We are aware you can not call a playbook today.  we plan to change that.  in the short term if you must call a playbook then you would need to disable the MSFT rules and create scheduled rules for each product manually.

@Nicholas DiCola (SECURITY JEDI)- Many thanks for the reply. I managed to find a way around this actually, and it seems to be working pretty well. The solution I've put together is a logic app which runs on a schedule every 5 minutes and does the following:

1. It runs a Log Analytics query to get all Security Alerts generated for the last 5 minutes

SecurityAlert
| where TimeGenerated >= now(-5m)

 

There is a slight delay between the time the alert fires in it's respective solution (WDATP, MCAS, etc.) and the time it gets ingested in Log Analytics but so far, with this timespan configuration it hasn't missed any alert. Hopefully it won't going forward :).

 

2. For each value returned it gets the Azure Sentinel incident (where it finds a match) I had to manually specify the Subscription ID, Resource Group, and Workspace ID and used the dynamic value of SystemAlertId for the "Specify Alert id parameter". this is the only way I managed to get it working

 

3. It then creates a SNOW incident based on the values from the Get Incident in Sentinel

 

4. It gets the SNOW record

 

5. It sends an email containing the desired info

 

Here's a screenshot of the logic app. Hope it helps and looking forward for you guys to change the MSFT rules. As, going forward it would be nice to have a way to expand/create a logic app that when the status of the incident is set to closed in Sentinel it will automatically close the SNOW incident or at least the alert in it's respective product.

 

Capture2.PNG.jpgCapture1.PNG

 

 

@Cristian Calinescu 

 

This is great.  you should contribute this playbook to the github.  if you need some help, i am happy to help you do that.

@Cristian Calinescu do you know how we can deal with empty subscription ids/workspace ids? Some of my System alerts (e.g from MCAS) don't have a subscription id and the Azure Sentinel- Get Incident action fails in that case. Also,  I was using a similar logic app as you but instead of the Log Analytics connector I used the Microsoft Graph Security Connector to get the latest alerts. I'm not sure if it works the same way.

 

Thank you

@aal5890- Yes, I was using the MS Graph as well but it's a little more complicated, and there are some delays between the time generated and ingested in Log Analytics or Sentinel. You will need to hard code your Subscription ID in the Get Incident step as well as the Resource Group and Workspace ID. The only thing that you'll leave as dynamic is System Alert ID. You can find those values on the Azure Sentinel lade - Settings - Workspace Settings. Hope this makes sense and I can provide you with screenshots if needed.

@Cristian Calinescu I meant the value is null so it won't get those values back in the field "Specify subscription id". When it's accessing the path to the azure sentinel incident it fails since my subscription ids for the alert are empty. Do you know if there's anything I can do to access alerts with empty subscription ids?

 

Thank you

 

 

@aal5890 - That's what I was saying. You need to copy the Subscription ID, Resource Group and Workspace ID from your Azure Sentinel - Settings - Workspace Settings (see below)

Capture1.PNG

And paste them into the Get Incident fields as below. The only dynamic value that you will set is the System alert ID (as below)

Capture2.PNG

Now, I asume that you already have the MCAS data source connected to Azure Sentinel and the "Create incidents from Microsoft Cloud App Security alerts" already enabled.

@Cristian Calinescu Sorry ,  I am getting the emails for everything which has a subscription id field but for the alerts that don't, I'm not getting the email. If I hard-code it and don't make the value dynamic I will still only receive those alerts that have the subscription id. I was hoping you had some information on how I could deal with that kind of issue.

 

1234.PNG

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies