Microsoft Sentinel Automation Tips & Tricks – Part 3: Send email notification options
Published Jul 13 2022 08:57 AM 24.3K Views
Microsoft

This blog is part of a multi-series

Part 1: Automation rules

Part 2: Playbooks

Part 3: Send email notification options – this blog

Part 4: Dynamic content and expressions – coming soon

 

Sending an email notification is an everyday automation task. Organizations commonly use the "Office 365 Outlook" Logic App connector, action "Send an email", to perform this routine task. This blog will cover other options for sending an email notification like using a shared mailbox, crating approval process, adding options, using HTTP connector, etc.
In one of the following blog series parts, we will also go through actions like "Compose" and "Create HTML table" that we are using to enrich email notifications sent.

 

Send As a group when using Office 365 Outlook connector

When using playbooks, Office 365 Outlook connector is one of the few connectors that are not utilizing service principal and/or managed identity as an option to authorize Logic App connector. You must use user identity to authorize the connector, and all sent emails, for example, are sent using that identity (From: will be from the user that authorized the connector).

 

But for those who want to use the group for that option, you can utilize Send As functionality of Office 365 Connector. When you finish authorizing the connector or using existing authorization, you need to select “Add new parameter” and choose “From (Send As)”. Please note that the user who authorized the connector needs to have Send As permission on that group.

SendAsConfig.gif

 

Send approval email

Office 365 Outlook connector can be used to send approval emails as well. This can be used when we want SOC Analyst approval to perform an action; based on that input, we will decide whether that action will be performed. For example, if we have an incident the user is compromised, and it includes known IP or some other entity, we can automatically send an email with an approval request to block the user. In the body, we can enter all necessary data from the incident so that SOC Analysts can decide.

 

BenjiSec_1-1657700250299.png

 

Example of email with approval process:

BenjiSec_2-1657700250309.png

 

After this, we can add a condition that if we click Approve – we will block the user, or if we click Reject – the user will not be blocked. For that, we will use the “SelectedOption” value from dynamic content.

 

BenjiSec_3-1657700250311.png

 

Send an email with options

If we need to get users’ input, we can send an email with options as automation. We can offer multiple choices to users from which they can choose. Based on the selection, we can decide the following action in the playbook.

BenjiSec_4-1657700250320.jpeg

 

Since it can be more than 2 selections, the condition can be tricky to configure. In this case, we can utilize the Switch condition where we can have a stream for each choice offered:

BenjiSec_5-1657700250322.png

 

An example where we can use this is when we have a sign in from an unfamiliar location, where we can offer a few choices to the user to see did the user performed that action. Choices can be Yes - business trip, Yes – Vacation, No, Not sure, etc. When using this for sensitive tasks, double-check users’ answers because users will sometimes click on the first response, or bad actors can pretend that it is the actual user.

 

Send an email from a shared mailbox

This specific action in Office 365 Outlook Logic App connector gives you the option to send email from the shared mailbox. You still need to authorize the Logic App connector with the user identity, but all emails will be sent using a shared mailbox:

 

BenjiSec_6-1657700250325.png

 

Send email from shared mailbox using HTTP

If you need to use service principal/managed identity to send an email, you can utilize HTTP action and authorize it with service principal or system-assigned managed identity.

 

In this case, we are utilizing Microsoft Graph API – Send mail, and we need to assign “Mail.Send” permission to the service principal or managed identity.

 

This is an example of how to use HTTP action with sample body. 

BenjiSec_7-1657700250329.png

 

Method:

POST

 

API:

 

https://graph.microsoft.com/v1.0/users/<email>/sendMail

 

Headers:

content-type: application/JSON

 

Body:

 

{
  "message": {
    "body": {
      "content": "<email body text>",
      "contentType": "Text"
    },
    "subject": "<email subject>",
    "toRecipients": [
      {
        "emailAddress": {
          "address": "<send to email>"
        }
      }
    ]
  },
  "saveToSentItems": "false"
}

 

 

Outlook.com and Gmail actions

If you prefer to utilize Outlook or Gmail accounts to send an email, you can utilize native actions from Outlook.com and Gmail connectors. You will need to authorize these connectors with a valid Outlook.com or Gmail account to be able to utilize the same.

BenjiSec_8-1657700250331.png

 

BenjiSec_9-1657700250334.png

 

SMTP connector to send emails

You can also utilize the SMTP Logic App connector to send an email. You will need the following data to authorize the connection; after authorisation, you can use it to send emails.

 

Property

Required

Description

Connection Name

Yes

A name for the connection to your SMTP server

SMTP Server Address

Yes

The address for your SMTP server

User Name

Yes

Your username for your SMTP account

Password

Yes

Your password for your SMTP account

SMTP Server Port

No

A specific port on your SMTP server you want to use

Enable SSL?

No

Turn on or turn off TLS/SSL encryption.

 

Note:

When you use 2-step verification, the connector may be blocked from accessing your account. If this is the case, please try to create and use an App Password.

 

 

Part 2: Playbooks

Part 4: Dynamic content and expressions – coming soon >

4 Comments
Version history
Last update:
‎Jul 13 2022 01:53 AM
Updated by: