Incident notifications on Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-2462799%22%20slang%3D%22en-US%22%3EIncident%20notifications%20on%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2462799%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20aware%20of%20few%20playbooks%20that%20can%20be%20used%20for%20Microsoft%20Teams%20notifications%20when%20an%20alert%2Fincident%20is%20triggered.%20However%2C%20the%20layout%20%2F%20information%20available%20through%20those%20playbooks%20are%20mediocre.%20Why%20isn't%20there%20a%20proper%20way%20to%20do%20notifications%3F%20I%20mean%20there%20is%20even%20a%20feature%20to%20create%20a%20Teams%20Channel%20per%20incident%20now%20(which%20is%20very%20useful)%20but%20obviously%20we%20don't%20wan%20to%20do%20this%20for%20every%20incident.%20It%20would%20have%20been%20nice%20if%20there%20was%20a%20better%20way%20of%20doing%20teams%2Femails%20notifications.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2463162%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20notifications%20on%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2463162%22%20slang%3D%22en-US%22%3EFeedback%20is%20always%20welcome%2C%20however%20what%20would%20you%20consider%20%22proper%22%20-%20an%20example%20of%20what%20good%20looks%20like%20would%20be%20useful.%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am aware of few playbooks that can be used for Microsoft Teams notifications when an alert/incident is triggered. However, the layout / information available through those playbooks are mediocre. Why isn't there a proper way to do notifications? I mean there is even a feature to create a Teams Channel per incident now (which is very useful) but obviously we don't wan to do this for every incident. It would have been nice if there was a better way of doing teams/emails notifications. 

3 Replies
Feedback is always welcome, however what would you consider "proper" - an example of what good looks like would be useful.

@Clive Watson 

 

My apologies, I should have worded it better.  First of all, there is no easy way of setting this up, unless you go and fiddle with playbooks. Most SIEMs (if not all) come with option to send email notifications per incidents. This is usually available through when you are setting up a new alert (analytics in this case).  This is a useful feature in my opinion as not all businesses operate on a 24/7 SOC environment, meaning they might not have SOC analysts with Sentinel open all the time. 

 

I have implemented the teams notification which can be seen below. Now this is useful but what would have been better if we could have had more details in here (maybe its possible to do with different playbooks) but what I would like is to see entities here as well:

 

the incidents page show the user, IP and so on. Would have been useful to see this information here. 
Captures.PNG

 

As I said, this is probably doable but I think having a feature by default to include all this rather than having to use playbooks is a better idea. Playbooks are still useful for many other things and I am grateful to the community for sharing many great playbooks.  But I just wish the notification feature didn't rely on playbooks. 

Thanks for the extra details. I know a simple method is being looked into (not confirmed). In the the meantime, playbooks allows for simple to complex emails or Teams messages to be created, please take a look at examples like this one: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-email-with-formatted-incident-rep...