E-mail Alert Upon Creation of New Incident

%3CLINGO-SUB%20id%3D%22lingo-sub-2214701%22%20slang%3D%22en-US%22%3EE-mail%20Alert%20Upon%20Creation%20of%20New%20Incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2214701%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20set-up%20the%20following%3A%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Email%20alerts%20any%20time%20a%20new%20incident%20is%20auto%20generated%20%22%3CSPAN%3ECreate%20incidents%20based%20on%20all%20alerts%20generated.%22%20template.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI've%20tried%20using%20the%20%22When%20a%20response%20to%20an%20Azure%20Sentinel%20alert%20is%20triggered%22%20step%20in%20Logic%20App%2C%20and%20it%20would%20work%20if%20I%20got%20to%20the%20incident%20and%20click%20%22Run%20Playbook%22.%20%26nbsp%3BHowever%2C%20when%20new%20incidents%20pop%20up%2C%20the%20playbook%20isn't%20triggered.%20%26nbsp%3BIs%20there%20something%20I%20am%20missing%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2214752%22%20slang%3D%22en-US%22%3ERe%3A%20E-mail%20Alert%20Upon%20Creation%20of%20New%20Incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2214752%22%20slang%3D%22en-US%22%3EThe%20playbook%20will%20not%20run%20because%20Sentinel%20doesn't%20want%20to%20automatically%20run%20playbooks%20if%20you%20don't%20specify%20it%20in%20the%20analytic%20rule.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20the%20incident%2Falert%20is%20automatically%20created%20then%20you%20can%20make%20a%20analytic%20rule%20and%20query%20to%20filter%20on%20a%20specific%20incident%2Falert%20and%20then%20check%20mark%20that%20specific%20playbook%20you%20created.%3CBR%20%2F%3E%3CBR%20%2F%3ENow%20that%20the%20analytic%20rule%20is%20created%2C%20it%20will%20trigger%20the%20playbook%20based%20on%20the%20query%20parameters%20you%20specified.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2214830%22%20slang%3D%22en-US%22%3ERe%3A%20E-mail%20Alert%20Upon%20Creation%20of%20New%20Incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2214830%22%20slang%3D%22en-US%22%3E%3CP%3EAs%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F117380%22%20target%3D%22_blank%22%3E%40TeachJing%3C%2FA%3E%26nbsp%3Bmentions%2C%20the%20Analytics%20Rule%20must%20be%20modified%20to%20include%20the%20Playbook%20on%20the%20Automated%20Response%20tab%20(shown%20below).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22emailnow.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F264483i10C2FA89D3DB0D88%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22emailnow.png%22%20alt%3D%22Add%20automation%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAdd%20automation%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2248599%22%20slang%3D%22en-US%22%3ERe%3A%20E-mail%20Alert%20Upon%20Creation%20of%20New%20Incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2248599%22%20slang%3D%22en-US%22%3EThis%20scenario%20has%20now%20been%20made%20considerably%20easier%20with%20the%20use%20of%20Automation%20Rules.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fautomate-incident-handling-with-automation-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fautomate-incident-handling-with-automation-rules%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ENo%20longer%20do%20you%20have%20to%20set%20the%20automation%20action%20on%20every%20analytic%20rule%2C%20but%20you%20can%20now%20also%20get%20email%20notifications%20for%20incidents%20generated%20by%20all%20rule%20types%20(Fusion%2C%20Microsoft%20Security%20and%20ML%20Behaviour%20Analytics).%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20remember%20you%20will%20have%20to%20amend%20the%20playbook%20trigger%20to%20%22When%20Azure%20Sentinel%20incident%20creation%20rule%20was%20triggered%22%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Regular Visitor

I would like to set-up the following: 

1) Email alerts any time a new incident is auto generated "Create incidents based on all alerts generated." template.

 

I've tried using the "When a response to an Azure Sentinel alert is triggered" step in Logic App, and it would work if I got to the incident and click "Run Playbook".  However, when new incidents pop up, the playbook isn't triggered.  Is there something I am missing?

3 Replies
The playbook will not run because Sentinel doesn't want to automatically run playbooks if you don't specify it in the analytic rule.

If the incident/alert is automatically created then you can make a analytic rule and query to filter on a specific incident/alert and then check mark that specific playbook you created.

Now that the analytic rule is created, it will trigger the playbook based on the query parameters you specified.

As @TeachJing mentions, the Analytics Rule must be modified to include the Playbook on the Automated Response tab (shown below).

 

Add automationAdd automation

This scenario has now been made considerably easier with the use of Automation Rules.

https://docs.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules

No longer do you have to set the automation action on every analytic rule, but you can now also get email notifications for incidents generated by all rule types (Fusion, Microsoft Security and ML Behaviour Analytics).

Just remember you will have to amend the playbook trigger to "When Azure Sentinel incident creation rule was triggered"