Create a Sentinel Incident based on an Email being received

%3CLINGO-SUB%20id%3D%22lingo-sub-1304861%22%20slang%3D%22en-US%22%3ECreate%20a%20Sentinel%20Incident%20based%20on%20an%20Email%20being%20received%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304861%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20create%20a%20logic%20app%20which%20will%20generate%20a%20Sentinel%20incident%20after%20an%20email%20is%20received%20with%20a%20specific%20subject%20line%20or%20body%20content.%20It%20doesn't%20look%20like%20there's%20a%20straight%20forward%20way%20of%20doing%20this%20as%20there's%20no%20action%20for%20Sentinel%20to%20create%20an%20incident.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20on%20how%20this%20could%20be%20achieved%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1305304%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20a%20Sentinel%20Incident%20based%20on%20an%20Email%20being%20received%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1305304%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F556556%22%20target%3D%22_blank%22%3E%40Sam_SOC%3C%2FA%3E%26nbsp%3BWhere%20is%20the%20email%20being%20recorded%2Fstored%20that%20you%20are%20capturing%20the%20text%20reference%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1305329%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20a%20Sentinel%20Incident%20based%20on%20an%20Email%20being%20received%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1305329%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F556556%22%20target%3D%22_blank%22%3E%40Sam_SOC%3C%2FA%3E%26nbsp%3BOne%20way%20would%20be%20to%20use%20the%20REST%20API%20(still%20in%20preview)%20to%20create%20the%20Incident.%26nbsp%3B%20You%20can%20go%20here%20to%20see%20some%20examples%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%2Fexamples%2Fincidents%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%2Fexamples%2Fincidents%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20in%20mind%20that%20the%20Machine%20Learning%20features%20of%20Azure%20Sentinel%20look%20at%20Alerts%20rather%20than%20Incidents%20so%20you%20may%20be%20better%20off%20creating%20a%20Logic%20App%20that%20can%20create%20an%20entry%20in%20a%20custom%20log%20(there%20is%20a%20Logic%20App%20Send%20Data%20action)%20based%20on%20the%20Email%20and%20then%20have%20an%20Analytic%20Rule%20create%20an%20Alert%2FIncident%20based%20on%20that%20custom%20log.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1305382%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20a%20Sentinel%20Incident%20based%20on%20an%20Email%20being%20received%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1305382%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3EHi%20Rod%2C%20it'll%20be%20from%20an%20O365%20mailbox%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi All,

 

I'm trying to create a logic app which will generate a Sentinel incident after an email is received with a specific subject line or body content. It doesn't look like there's a straight forward way of doing this as there's no action for Sentinel to create an incident.

 

Any thoughts on how this could be achieved?

 

Thanks in advance.

3 Replies
Highlighted

@Sam_SOC Where is the email being recorded/stored that you are capturing the text reference?

Highlighted

@Sam_SOC One way would be to use the REST API (still in preview) to create the Incident.  You can go here to see some examples: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

 

Keep in mind that the Machine Learning features of Azure Sentinel look at Alerts rather than Incidents so you may be better off creating a Logic App that can create an entry in a custom log (there is a Logic App Send Data action) based on the Email and then have an Analytic Rule create an Alert/Incident based on that custom log.

Highlighted

@rodtrentHi Rod, it'll be from an O365 mailbox