Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Create a Sentinel Incident based on an Email being received

Copper Contributor

Hi All,

 

I'm trying to create a logic app which will generate a Sentinel incident after an email is received with a specific subject line or body content. It doesn't look like there's a straight forward way of doing this as there's no action for Sentinel to create an incident.

 

Any thoughts on how this could be achieved?

 

Thanks in advance.

3 Replies

@Sam_SOC Where is the email being recorded/stored that you are capturing the text reference?

@Sam_SOC One way would be to use the REST API (still in preview) to create the Incident.  You can go here to see some examples: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

 

Keep in mind that the Machine Learning features of Azure Sentinel look at Alerts rather than Incidents so you may be better off creating a Logic App that can create an entry in a custom log (there is a Logic App Send Data action) based on the Email and then have an Analytic Rule create an Alert/Incident based on that custom log.

@Rod_TrentHi Rod, it'll be from an O365 mailbox