Azure Sentinel - Scheduled Search

%3CLINGO-SUB%20id%3D%22lingo-sub-2073735%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20-%20Scheduled%20Search%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2073735%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20create%20a%20report%20on%20Azure%20Sentinel%20that%20will%20send%20its%20results%20to%20selected%20group%20of%20email%20addresses%2C%20once%20a%20week.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20knows%20how%20can%20I%20achieve%20that%2C%20and%20if%20it%20is%20even%20optional%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E**%20Analytics%20rule%20is%20not%20an%20option%2C%20as%20it%20creates%20an%20incident.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2074545%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20-%20Scheduled%20Search%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2074545%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F646380%22%20target%3D%22_blank%22%3E%40Yasta190%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Create%20an%20Azure%20Monitor%20Alerts%20rule%2C%20send%20to%20an%20Action%20group%20that%20has%20the%20emails%20required.%3C%2FP%3E%0A%3CP%3Eor%3C%2FP%3E%0A%3CP%3E2.%20Create%20a%20Logic%20App%20(Azure%20Sentinel%20Playbook)%3B%20define%20a%20'recurrence%22%20trigger%2C%20and%20run%20the%20KQL%2C%20and%20email.%26nbsp%3B%20Also%20note%2C%20the%20Rule%20can%20trigger%20a%20Playbook%20that%20sends%20the%20email%20each%20time%20the%20Incident%20fires%20(use%20the%20Sentinel%20trigger%20rather%20than%20'recurrence')%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorClive%20Watson_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-01-19%20145902.jpg%22%20style%3D%22width%3A%20630px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247457i614FA63D134E32A1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-01-19%20145902.jpg%22%20alt%3D%22Screenshot%202021-01-19%20145902.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi everyone,

 

I need to create a report on Azure Sentinel that will send its results to selected group of email addresses, once a week.

 

Does anyone knows how can I achieve that, and if it is even optional?

 

** Analytics rule is not an option, as it creates an incident. 

 

Thanks ! 

1 Reply

@Yasta190 

 

1. Create an Azure Monitor Alerts rule, send to an Action group that has the emails required.

or

2. Create a Logic App (Azure Sentinel Playbook); define a 'recurrence" trigger, and run the KQL, and email.  Also note, the Rule can trigger a Playbook that sends the email each time the Incident fires (use the Sentinel trigger rather than 'recurrence')

 

 

Screenshot 2021-01-19 145902.jpg