Send email or Teams message when incident has not been solved within SLA

%3CLINGO-SUB%20id%3D%22lingo-sub-1502781%22%20slang%3D%22en-US%22%3ESend%20email%20or%20Teams%20message%20when%20incident%20has%20not%20been%20solved%20within%20SLA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502781%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20was%20curious%20as%20to%20if%20there%20is%20a%20solution%20to%20automatically%20send%20a%20message%20to%20Teams%20or%20to%20a%20specific%20mailbox%20if%20an%20incident%20has%20not%20been%20solved%2C%20or%20if%20it's%20not%20been%20assigned%20within%20a%20specific%20time%20limit.%20I'm%20setting%20up%20Sentinel%20for%20a%20customer%2C%20and%20they%20would%20like%20this%20functionality%20to%20track%20the%20incident%20management%20and%20follow%20up%20on%20SLA's.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20thinking%20about%20setting%20up%20a%20playbook%20to%20run%20once%20a%20day%20to%20check%20when%20an%20incident%20was%20generated%20and%20if%20it%20was%20generated%20over%20x%20hours%20ago%2C%20send%20an%20email%20to%20Teams.%20Is%20it%20possible%20to%20get%20the%20time-generated%20from%20the%20API-integration%20with%20Sentinel%2C%20or%20is%20there%20a%20better%20way%20of%20solving%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

I was curious as to if there is a solution to automatically send a message to Teams or to a specific mailbox if an incident has not been solved, or if it's not been assigned within a specific time limit. I'm setting up Sentinel for a customer, and they would like this functionality to track the incident management and follow up on SLA's. 

I was thinking about setting up a playbook to run once a day to check when an incident was generated and if it was generated over x hours ago, send an email to Teams. Is it possible to get the time-generated from the API-integration with Sentinel, or is there a better way of solving this?

2 Replies
It would be possible to do this through a Logic App and query all the latest alert (can be done through the security graph https://docs.microsoft.com/en-us/graph/api/alert-list?view=graph-rest-1.0&tabs=http and there you can filter on time created)

But I would advise to just push the alerts to their ticketing system as they will return into limitations this way

@Nexxic

 

A feature that will have incident data *and updates* available in the worksapce is expected shortly. This would allow you to write a rule to do just what you need.


~ Ofer