Azure Sentinel Email Alert Escaltion process

%3CLINGO-SUB%20id%3D%22lingo-sub-1522954%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Email%20Alert%20Escaltion%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522954%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3EI%20am%20trying%20achieve%20the%20following%20actions%20using%20Azure%20playbooks%2Flog%20apps.%20In%20Sentinel%20when%20an%20incident%20is%20generated%3C%2FP%3E%3CP%3E1.)Send%20an%20email%20to%20a%20User%3C%2FP%3E%3CP%3E2.)%20If%20within%2030%20mins%20the%20User%20actions%20on%20the%20incident%20and%20changes%20the%20status%20of%20the%20incident%20from%20new%20to%20active%20or%20closed.%26nbsp%3B%3C%2FP%3E%3CP%3E3.)If%20Yes%20for%20step%202%20do%20nothing%3C%2FP%3E%3CP%3E4.)%20If%20false%2C%20send%20an%20email%20to%20the%20user%20manager%3C%2FP%3E%3CP%3EI%20am%20okay%20steps%201%26nbsp%3B%2C3%20and%204%2C%20but%20I%20am%20not%20sure%20how%20to%20check%20the%20status%20of%20the%20sentinel%20incident.%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1523291%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Email%20Alert%20Escaltion%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1523291%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F729092%22%20target%3D%22_blank%22%3E%40mboppe%3C%2FA%3E%26nbsp%3BAs%20of%20now%20you%20cannot%20have%20a%20Playbook%20kicked%20off%20when%20an%20Incident%20is%20created%2C%20only%20an%20Alert%20which%20is%20probably%20what%20you%20are%20doing%20for%20step%201.%26nbsp%3B%20%26nbsp%3BNote%20that%20this%20will%20be%20changing%20in%20the%20future%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20also%20cannot%20get%20information%20about%20the%20incident%20through%20a%20KQL%20query%2C%20again%20this%20will%20be%20changing%20in%20the%20future.%26nbsp%3B%20You%20would%20need%20to%20make%20a%20REST%20API%20call%20to%20get%20the%20incident's%20information%20to%20see%20if%20it%20has%20any%20changes.%26nbsp%3B%20There%20are%20plenty%20of%20Blog%20posts%20about%20that%2C%20including%20one%20that%20I%20wrote%20on%20populating%20incidents%20into%20a%20custom%20log%20where%20you%20can%20use%20KQL%20against%20it.%26nbsp%3B%20%26nbsp%3BThis%20Azure%20Sentinel%20blog%20post%20talks%20about%20using%20the%20REST%20APIs%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-api-101%2Fba-p%2F1438928%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-api-101%2Fba-p%2F1438928%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello

I am trying achieve the following actions using Azure playbooks/log apps. In Sentinel when an incident is generated

1.)Send an email to a User

2.) If within 30 mins the User actions on the incident and changes the status of the incident from new to active or closed. 

3.)If Yes for step 2 do nothing

4.) If false, send an email to the user manager

I am okay steps 1 ,3 and 4, but I am not sure how to check the status of the sentinel incident. 

Thanks

 

 

 

1 Reply

@MalliBoppe As of now you cannot have a Playbook kicked off when an Incident is created, only an Alert which is probably what you are doing for step 1.   Note that this will be changing in the future

 

You also cannot get information about the incident through a KQL query, again this will be changing in the future.  You would need to make a REST API call to get the incident's information to see if it has any changes.  There are plenty of Blog posts about that, including one that I wrote on populating incidents into a custom log where you can use KQL against it.   This Azure Sentinel blog post talks about using the REST APIs: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-api-101/ba-p/1438928