Apr 14 2020 01:43 AM
Hi All,
I'm trying to create a logic app which will generate a Sentinel incident after an email is received with a specific subject line or body content. It doesn't look like there's a straight forward way of doing this as there's no action for Sentinel to create an incident.
Any thoughts on how this could be achieved?
Thanks in advance.
Apr 14 2020 04:42 AM
@Sam_SOC Where is the email being recorded/stored that you are capturing the text reference?
Apr 14 2020 04:50 AM
@Sam_SOC One way would be to use the REST API (still in preview) to create the Incident. You can go here to see some examples: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...
Keep in mind that the Machine Learning features of Azure Sentinel look at Alerts rather than Incidents so you may be better off creating a Logic App that can create an entry in a custom log (there is a Logic App Send Data action) based on the Email and then have an Analytic Rule create an Alert/Incident based on that custom log.
Apr 14 2020 05:11 AM
@Rod_TrentHi Rod, it'll be from an O365 mailbox