Jan 14 2020 06:02 AM - edited Jan 14 2020 06:02 AM
Hello,
Since triggering a playbook from external incident creations does not work, i figured i might schedule a playbook to get the new incidents, act on the contents and set the state of the incidents.
I cannot access the incidents from Azure Sentinel playbook connectors.
How to proceed?
Jan 15 2020 10:45 AM
@sirferl There is a great article at https://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/ about how to get this information.
Jan 15 2020 10:19 PM
Hello Gary,
thanks for the link. Actually I tried that one before I wrote the post here.
What I have in mind is the following:
A Logic App that is scheduled to loop through recent incidents and act on some of them (depending on type) with actions like sending eMail and then changing the state of the incident.
Scheduled, because AFAIK triggering is not available for externally (e.g. Azure AD IP) created incidents.
I am under the impression, that I cannot do this via the API and I have no idea how to schedule powershellscripts...
Jan 16 2020 06:08 AM
1) You can create a Incident (AKA case) using the REST API so you should be able to update (I have not tried this but will soon). The example listed at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...
may help
2) Inside a Logic App you can schedule the trigger to run on an interview so you can use that to run your PowerShell command every so often (or make an Azure Function would probably be better)
Jan 16 2020 10:27 PM
@Gary Bushey : thank you for the recommendations. I will try that.