Playbook to have more details when alerted as email

%3CLINGO-SUB%20id%3D%22lingo-sub-1506251%22%20slang%3D%22en-US%22%3EPlaybook%20to%20have%20more%20details%20when%20alerted%20as%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506251%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20playbook%20designed%20for%20the%20Azure%20Sentinel%20Alert%20but%20when%20the%20playbook%20is%20executed%20the%20email%20is%20sent%20with%20Alert%20display%20name%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20to%20get%20the%20Event%20count%2C%20User%20ID%20and%20Link%20to%20Azure%20Sentinel%20alert%20page%20in%20the%20body%20of%20email%20when%20the%20playbook%20is%20executed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1506297%22%20slang%3D%22en-US%22%3ERe%3A%20Playbook%20to%20have%20more%20details%20when%20alerted%20as%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506297%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709789%22%20target%3D%22_blank%22%3E%40ss1247%3C%2FA%3E%26nbsp%3BWe're%20working%20on%20that%20and%20have%20a%20new%20SecurityIncident%20table%20in%20Private%20Preview%20that%20will%20solve%20what%20you're%20looking%20for.%20You%20can%20join%20the%20private%20preview%20program%20for%20Azure%20Sentinel%20at%20the%20following%20link%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20interim%2C%20you%20can%20get%20this%20information%20through%20the%20API%2C%20but%20also%20it's%20available%20by%20digging%20in%20and%20doing%20some%20additional%20parsing%20in%20your%20queries.%20Here's%20an%20example%20of%20getting%20the%20Incident%20URL%3A%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F06%2F11%2Fgetting-direct-urls-for-azure-sentinel-incidents-using-kql%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecureinfra.blog%2F2020%2F06%2F11%2Fgetting-direct-urls-for-azure-sentinel-incidents-using-kql%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20GA%20of%20the%20SecurityIncidents%20table%20will%20make%20this%20a%20lot%20easier.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I have a playbook designed for the Azure Sentinel Alert but when the playbook is executed the email is sent with Alert display name 

 

How to get the Event count, User ID and Link to Azure Sentinel alert page in the body of email when the playbook is executed.

1 Reply

@ss1247 We're working on that and have a new SecurityIncident table in Private Preview that will solve what you're looking for. You can join the private preview program for Azure Sentinel at the following link:

https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFS...

 

In the interim, you can get this information through the API, but also it's available by digging in and doing some additional parsing in your queries. Here's an example of getting the Incident URL:  

 

https://secureinfra.blog/2020/06/11/getting-direct-urls-for-azure-sentinel-incidents-using-kql/ 

 

The GA of the SecurityIncidents table will make this a lot easier.