Notification of Incident Assignment

Saif_Rahman · ‎Jan 10 2021

Two Questions:

1. When you assign a ticket to an individual from the Sentinel Incidents - Is there any inbuilt notification features or do most people do this through Playbooks?

2. Is there a document reference architecture for Incident Management in Azure Sentinel? For example, we would like to use native microsoft tooling (Boards,etc) vs. External ticketing flows.

JKatzmandu · ‎Jan 11 2021

@Saif_Rahman

The easiest way to do this is to set up a Logic App that runs on a schedule (every few minutes) and runs a query against the SecurityIncident table; have it look for a "recently modified" timestamp and new assignment; the result can then be e-mailed.

The "Incident" tooling itself is fairly minimal but seems to be growing as a workflow. I'm a big fan of tailoring workflows for the business and what makes the most sense for the SOC/analysts working the incident.

Gary Bushey · ‎Jan 11 2021

@Saif_Rahman If you have a NDA with Microsoft, see about joining the Azure Sentinel private previews. There is one there that would of interest to you regarding this issue.

Saif_Rahman · ‎Jan 11 2021

We have a NDA in place - which one is this? @Gary Bushey

Gary Bushey · ‎Jan 11 2021

@Saif_Rahman Not sure I am allowed to say as it is a private preview. But if you join there will be a listing of all the private previews and there will definitely be one that will stand out :)

Notification of Incident Assignment

Notification of Incident Assignment

Re: Notification of Incident Assignment

Re: Notification of Incident Assignment

Re: Notification of Incident Assignment

Re: Notification of Incident Assignment

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Notification of Incident Assignment