Assigning alerts/incidents in Sentinel to a specific team/user/group.

%3CLINGO-SUB%20id%3D%22lingo-sub-1131461%22%20slang%3D%22en-US%22%3EAssigning%20alerts%2Fincidents%20in%20Sentinel%20to%20a%20specific%20team%2Fuser%2Fgroup.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1131461%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20assign%20a%20particular%20incident%20coming%20in%20from%20different%20sources%20to%20a%20team%2Fuser%2Fgroup%20instead%20of%20the%20admin%20going%20to%20the%20portal%20and%20assigning%20it%20to%20himself%3F%3C%2FP%3E%3CP%3EConsidering%20our%20team%20size%2C%20the%20requirement%20is%20to%20have%20respective%20SMEs%20take%20care%20of%20the%20incidents%20coming%20from%20their%20respective%20sources.%20For%20eg%3A%20Incidents%20coming%20from%20MCAS%20to%20be%20assigned%20to%20XYZ%2C%20incidents%20coming%20from%20AADIP%20to%20ABC%20and%20so%20on%20either%20by%20using%20playbook%20or%20by%20any%20other%20means.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20is%20there%20a%20way%20to%20pin%2Fexport%20a%20dashboard%20of%20sorts%20to%20the%20homepage%20of%20Sentinel%20to%20see%20the%20number%20of%20incidents%20resolved%2Finprogress%20and%20new%20to%20be%20refreshed%20from%20time%20to%20time%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanking%20in%20anticipation%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1131461%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1131803%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20alerts%2Fincidents%20in%20Sentinel%20to%20a%20specific%20team%2Fuser%2Fgroup.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1131803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428046%22%20target%3D%22_blank%22%3E%40Pranesh1060%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20Dashboard%20piece%2C%20you%20can%20pin%20a%20query%20or%20Workbook%20to%20the%20Azure%20Dashboards%20(the%20main%20Azure%20console%20dashboard)%2C%20which%20would%20act%20as%20a%20quick%20view%20into%20open%20issues.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20auto-assignment%2C%20have%20you%20looked%20at%20generating%20a%20Playbook%20(Logic%20App)%20to%20do%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1132793%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20alerts%2Fincidents%20in%20Sentinel%20to%20a%20specific%20team%2Fuser%2Fgroup.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1132793%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428046%22%20target%3D%22_blank%22%3E%40Pranesh1060%3C%2FA%3E%26nbsp%3BTo%20answer%20your%20first%20question%2C%20unfortunately%20Playbooks%20can%20only%20be%20assigned%20to%20Scheduled%20rules%20so%20alerts%20that%20get%20generated%20from%20other%20sources%20like%20MCAS%20would%20not%20be%20able%20to%20trigger%20a%20Playbook%20(yet%3F%20Please%2C%20Microsoft.%26nbsp%3B%20Make%20this%20happen!).%26nbsp%3B%20%26nbsp%3BYou%20can%20trigger%20the%20Playbook%20from%20the%20Incident's%20full%20details%20page%20using%20the%20Alert%20tab%20but%20that%20is%20a%20manual%20process.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20regards%20to%20your%20second%20question%2C%20unfortunately%20there%20is%20not%20way%20to%20get%20the%20information%20you%20want%20into%20a%20Sentinel%20workbook%20since%20the%20Incident%20information%20is%20not%20stored%20in%20Log%20Analytics.%26nbsp%3B%20I%20did%20write%20a%20blog%20post%20about%20how%20to%20load%20the%20information%20into%20PowerBI%20and%20from%20there%20you%20can%20create%20the%20reports%20you%20want.%26nbsp%3B%20Not%20the%20best%20option%20but%20it%20might%20have%20to%20do%20for%20now.%26nbsp%3B%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F20%2Fazure-sentinel-incidents-in-powerbi%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F20%2Fazure-sentinel-incidents-in-powerbi%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1132850%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20alerts%2Fincidents%20in%20Sentinel%20to%20a%20specific%20team%2Fuser%2Fgroup.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1132850%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Gary%2C%20thanks%20for%20your%20response.%20However%20when%20playbooks%20are%20getting%20triggered%20for%20a%20scheduled%20alert%2C%20is%20there%20a%20possibility%20to%20hard%20code%20the%20name%20of%20the%20administrator%20or%20a%20team%20directly%3F%20Like%20for%20every%20MCAS%20scheduled%20alert%20the%20incident%20owner%20should%20be%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1132968%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20alerts%2Fincidents%20in%20Sentinel%20to%20a%20specific%20team%2Fuser%2Fgroup.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1132968%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428046%22%20target%3D%22_blank%22%3E%40Pranesh1060%3C%2FA%3E%26nbsp%3BYes%20and%20no.%26nbsp%3B%20Yes%2C%20you%20can%20do%20it%20and%20no%2C%20it%20won't%20be%20easy.%26nbsp%3B%20%26nbsp%3BUnfortunately%2C%20as%20it%20stands%20right%20now%2C%20using%20the%20Logic%20App%20Sentinel%20connector%20you%20can%20change%20a%20lot%20of%20settings%20on%20the%20Incident%20including%20severity%2C%20status%2C%20labels%2C%20title%20and%20description%20but%20the%20person%20the%20incident%20is%20assigned%20to%20is%20not%20one%20of%20the%20fields%20(probably%20because%20of%20the%20need%20to%20pass%20in%20a%20GUID%2C%20see%20below).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20do%20this%20using%20the%20REST%20API%20calls%20and%20there%20is%20a%20Logic%20App%20action%20to%20make%20this%20call.%26nbsp%3B%20You%20would%20need%20to%20get%20the%20Incident%20in%20question%20using%20a%20REST%20call%2C%20modify%20the%20%22owner%22%20field%20under%20the%20%22properties%22%20field%20and%20then%20update%20the%20Incident.%26nbsp%3B%20The%20hard%20part%20is%20that%20the%20%22owner%22%20field%20has%203%20fields%20under%20it%2C%20%22objectId%22%20(which%20the%20the%20user's%20Azure%20AD%20GUID)%2C%20%22email%22%2C%20and%20%22name%22.%26nbsp%3B%20If%20you%20can%20get%20that%20GUID%20the%20rest%20should%20be%20easy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20blog%20post%20on%20creating%20a%20Fusion%20rule%20that%20shows%20you%20what%20needs%20to%26nbsp%3B%20be%20done%20to%20make%20a%20call%20into%20the%20REST%20API%20using%20a%20PUT%20call%20(see%20below).%26nbsp%3B%20You%20can%20use%20most%20of%20that%20code%20just%20remember%20that%20you%20need%20to%20get%20the%20Incident%20first%20so%20that%20all%20the%20rest%20of%20the%20fields%20are%20filled%20in.%26nbsp%3B%20Here%20is%20the%20code%20I%20used%2C%20making%20the%20substitutions%20as%20needed%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%24uri%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2F%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%3CSUBSCRIPTION%3E%2FresourceGroups%2F%3CRESOURCEGROUP%3E%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2F%3CWORKSPACE%3E%2Fproviders%2FMicrosoft.SecurityInsights%2Fcases%2F%3CCASE%3E%3C%2FCASE%3E%3C%2FWORKSPACE%3E%3C%2FRESOURCEGROUP%3E%3C%2FSUBSCRIPTION%3E%3C%2FA%3E%20name%26gt%3B%3Fapi-version%3D2019-01-01-preview%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%24body%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3EInvoke-RestMethod%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-Method%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Get%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-Uri%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24uri%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-Headers%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24authHeader%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B)%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%24body%3C%2FSPAN%3E%3CSPAN%3E.properties.owner.objectId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22%3CUSER%20guid%3D%22%22%3E%22%3C%2FUSER%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24body%3C%2FSPAN%3E%3CSPAN%3E.properties.owner.email%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22gary.bushey%40nowhere.com%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24body%3C%2FSPAN%3E%3CSPAN%3E.properties.owner.name%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Gary%26nbsp%3BBushey%22%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20then%20call%20the%20rest%20of%20the%20code%20to%20perform%20the%20PUT.%3C%2FP%3E%3CP%3EBlog%20post%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F14%2Fworking-with-analytics-rules-part-3-create-fusion-ml-rule%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EWorking%20with%20Analytics%20rules%20Part%203%20%E2%80%93%20Create%20Fusion%20%2F%20ML%20Rule%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1133088%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20alerts%2Fincidents%20in%20Sentinel%20to%20a%20specific%20team%2Fuser%2Fgroup.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133088%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428046%22%20target%3D%22_blank%22%3E%40Pranesh1060%3C%2FA%3E%26nbsp%3BI%20wrote%20a%20quick%20blog%20post%20on%20how%20to%20do%20this%20using%20PowerShell%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F28%2Fupdating-an-incident-using-rest-calls-in-powershell%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F28%2Fupdating-an-incident-using-rest-calls-in-powershell%2F%3C%2FA%3E.%26nbsp%3B%20%26nbsp%3BThere%20is%20no%20reason%20you%20could%20not%20iterate%20through%20all%20the%20Incidents%2C%20find%20those%20that%20are%20unassigned%2C%20determine%20which%20person%2Fgroup%20it%20should%20go%20to%2C%20and%20then%20use%20the%20code%20in%20the%20blog%20post%20to%20make%20the%20changes%20and%20update%20the%20Incident.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20have%20this%20run%20on%20a%20schedule%20using%20Azure%20Automation.%26nbsp%3B%20While%20it%20will%20not%20automatically%20update%20your%20Incidents%2C%20they%20could%20be%20updated%20fairly%20quickly.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi Guys,

 

Is there a way to assign a particular incident coming in from different sources to a team/user/group instead of the admin going to the portal and assigning it to himself?

Considering our team size, the requirement is to have respective SMEs take care of the incidents coming from their respective sources. For eg: Incidents coming from MCAS to be assigned to XYZ, incidents coming from AADIP to ABC and so on either by using playbook or by any other means.

 

Also, is there a way to pin/export a dashboard of sorts to the homepage of Sentinel to see the number of incidents resolved/inprogress and new to be refreshed from time to time?

 

Thanking in anticipation

5 Replies

@Pranesh1060 

 

For the Dashboard piece, you can pin a query or Workbook to the Azure Dashboards (the main Azure console dashboard), which would act as a quick view into open issues.

 

For the auto-assignment, have you looked at generating a Playbook (Logic App) to do this?

@Pranesh1060 To answer your first question, unfortunately Playbooks can only be assigned to Scheduled rules so alerts that get generated from other sources like MCAS would not be able to trigger a Playbook (yet? Please, Microsoft.  Make this happen!).   You can trigger the Playbook from the Incident's full details page using the Alert tab but that is a manual process.

 

In regards to your second question, unfortunately there is not way to get the information you want into a Sentinel workbook since the Incident information is not stored in Log Analytics.  I did write a blog post about how to load the information into PowerBI and from there you can create the reports you want.  Not the best option but it might have to do for now.   https://www.garybushey.com/2020/01/20/azure-sentinel-incidents-in-powerbi/

 

@Gary Bushey 

 

Hi Gary, thanks for your response. However when playbooks are getting triggered for a scheduled alert, is there a possibility to hard code the name of the administrator or a team directly? Like for every MCAS scheduled alert the incident owner should be me.

@Pranesh1060 Yes and no.  Yes, you can do it and no, it won't be easy.   Unfortunately, as it stands right now, using the Logic App Sentinel connector you can change a lot of settings on the Incident including severity, status, labels, title and description but the person the incident is assigned to is not one of the fields (probably because of the need to pass in a GUID, see below). 

 

You can do this using the REST API calls and there is a Logic App action to make this call.  You would need to get the Incident in question using a REST call, modify the "owner" field under the "properties" field and then update the Incident.  The hard part is that the "owner" field has 3 fields under it, "objectId" (which the the user's Azure AD GUID), "email", and "name".  If you can get that GUID the rest should be easy.

 

I have a blog post on creating a Fusion rule that shows you what needs to  be done to make a call into the REST API using a PUT call (see below).  You can use most of that code just remember that you need to get the Incident first so that all the rest of the fields are filled in.  Here is the code I used, making the substitutions as needed:

 


$body =  (Invoke-RestMethod -Method "Get" -Uri $uri -Headers $authHeader )

$body.properties.owner.objectId = "<user guid>"
$body.properties.owner.email = "gary.bushey@nowhere.com"
$body.properties.owner.name = "Gary Bushey"

 

And then call the rest of the code to perform the PUT.

Blog post: Working with Analytics rules Part 3 – Create Fusion / ML Rule

@Pranesh1060 I wrote a quick blog post on how to do this using PowerShell, https://www.garybushey.com/2020/01/28/updating-an-incident-using-rest-calls-in-powershell/.   There is no reason you could not iterate through all the Incidents, find those that are unassigned, determine which person/group it should go to, and then use the code in the blog post to make the changes and update the Incident.

 

You could have this run on a schedule using Azure Automation.  While it will not automatically update your Incidents, they could be updated fairly quickly.