Detailed Email Alerts

Contributor

One area that I haven't seen covered is how to get more detail into email alerts that may be generated as the result of a playbook execution. You can get basic alert information but no information on the event data.

 

I configured this playbook which will run the query that is part of the analytic rule and send those in an email formatted as an HTML table.

 

Untitled.png

 

 

 

This is the JSON schema:

{
    "properties": {
        "Query": {
            "type": "string"
        },
        "Query End Time UTC": {
            "type": "string"
        },
        "Query Period": {
            "type": "string"
        },
        "Query Results Aggregation Kind": {
            "type": "string"
        },
        "Query Start Time UTC": {
            "type": "string"
        },
        "Search Query Results Overall Count": {
            "type": "string"
        },
        "Total Account Entities": {
            "type": "string"
        },
        "Total Host Entities": {
            "type": "string"
        },
        "Total URL Entities": {
            "type": "string"
        },
        "Trigger Operator": {
            "type": "string"
        },
        "Trigger Threshold": {
            "type": "string"
        }
    },
    "type": "object"
}

  Hope this is helpful for some of you.

7 Replies

@mperrotta Nice contribution!

@mperrotta This was priceless. I am sure it will help many people who have been desperately searching for a breakthrough..

Thanks @mperrotta 

 

Its works intermittently for me . I keep getting an error. Fails on "Alert - Get Incident" step.Any ideas

Malli900_0-1612248680136.png

 

Malli900_1-1612248731370.png

 

"innerError""Failed to run playbook - no incident found with the properties you provided"

 

 

 

 

 

 

 

did you find the reason why the error was generated? I'm running into the same.

@GraceAA A couple of things

1) Put in a time delay for 5-10 seconds between the trigger and when you load the incident.  There is sometimes brief delay creating the incident.
2) Rewrite the playbook to use to the Incident trigger that gets used with the new Azure Sentinel Automation features.  All the alert and incident information will still be available (although there may be some name changes)

Thank you very much!!