cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Email Alerts on New and Assigned Incidents

Stefanie Cortese
Copper Contributor

‎Feb 06 2020 07:33 AM

‎Feb 06 2020 07:33 AM

Email Alerts on New and Assigned Incidents

This is probably something simple but I would like to set-up the following: 

1) Email alerts any time a new incident is auto generated 

2) Email alert any time an incident is assigned 

 

 

23.7K Views
0 Likes
13 Replies
Reply
13 Replies
Gary Bushey

‎Feb 07 2020 03:34 AM

‎Feb 07 2020 03:34 AM

Re: Email Alerts on New and Assigned Incidents

@Stefanie Cortese Sadly, not as simple as you would think.  

 

1) This can be done using a Playbook EXCEPT that you can only assign Playbooks to Scheduled Analytic rules so an alert generated from ML or a Microsoft incident creation (the alerts that get generated from the other Azure security services like MCAS) will not automatically send the Email.  You can go to the incident's Full Details page and under the Alerts tab, select and run the Playbook but it is not automatic. There is a request for this in the UserVoice for Sentinel, https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/39058018-create-a-logic-app-trig...

If you want to vote for it.

 

2) There is currently no Playbook connector that will get kicked off when an Incident is updated. I thought there was an entry in UserVoice for this as well but I did not find it.

 

0 Likes
Reply
best response confirmed by Stefanie Cortese (Copper Contributor)
CliveWatson

‎Feb 07 2020 03:38 AM

‎Feb 07 2020 03:38 AM

Solution

Re: Email Alerts on New and Assigned Incidents

@Stefanie Cortese 

 

For Question 1, you could:

 

1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook.   You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9.  This is my preferred option.


You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only. 
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence"). 
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).

sample logic, you may need different filtering or data displayed.

SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"  
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
 
 
 

 



0 Likes
Reply
akefallonitis

‎Apr 24 2020 06:14 AM

‎Apr 24 2020 06:14 AM

Re: Email Alerts on New and Assigned Incidents

@CliveWatson 

 

The only problem with the solution you propose is that AlertName etc are not aggregate to the sample rules that catches all the Azure Sentinel Alert.

0 Likes
Reply
CliveWatson

‎Apr 24 2020 06:29 AM

‎Apr 24 2020 06:29 AM

Re: Email Alerts on New and Assigned Incidents

@akefallonitis 

 

The above was for Scheduled rules not "Incident creation rules".  Is that what you mean?

 

Annotation 2020-04-24 142742.jpg

0 Likes
Reply
akefallonitis

‎Apr 24 2020 06:35 AM - edited ‎Apr 24 2020 06:40 AM

‎Apr 24 2020 06:35 AM - edited ‎Apr 24 2020 06:40 AM

Re: Email Alerts on New and Assigned Incidents

@CliveWatson 

 

No i was talking about Scheduled queries too. If i run a Scheduled query rule For example name TEST with the query sent:

 

SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId


In the email alert i will get always "TEST" as an AlertName, the rule name and not the underlying "Azure Sentinel" alert names. I don't know if there is a way to aggregate the Real Name and pass it to the email alert for e.g. Is it ?

0 Likes
Reply
CliveWatson

‎Apr 24 2020 07:57 AM

‎Apr 24 2020 07:57 AM

Re: Email Alerts on New and Assigned Incidents

@akefallonitis 

 

What do you think is the 'real name'?  If you run this, do you see a Column that matches the 'real name'?  Can you send a screenshot of the column / field you mean please?  

 

SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"

   

0 Likes
Reply
akefallonitis

‎Apr 24 2020 10:49 AM - edited ‎Apr 24 2020 11:34 AM

‎Apr 24 2020 10:49 AM - edited ‎Apr 24 2020 11:34 AM

Re: Email Alerts on New and Assigned Incidents

@CliveWatson

Sent you a PM

0 Likes
Reply
akefallonitis

‎Apr 27 2020 03:55 AM

‎Apr 27 2020 03:55 AM

Re: Email Alerts on New and Assigned Incidents

@CliveWatson  Can you please explain more on how to write a Logic App with recurrence to get the alerts from sentinel ?

0 Likes
Reply
PrashTechTalk

‎Jul 23 2020 04:26 AM

‎Jul 23 2020 04:26 AM

Re: Email Alerts on New and Assigned Incidents

@CliveWatson -  Is there a way on how to fetch full sentinel incident URL (not the entities url) at the logic apps to send it in an email or push incident details to a incident management tool.

 

I am trying to compose it manually as couldn't get the full incident URL but again unable to get he incident object id to amend in the URL.  How can i achieve this ?   Appreciate your response.

 

https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxx/reso...<?? Incident Object ID ??>

0 Likes
Reply
Gary Bushey

‎Jul 23 2020 05:15 AM

‎Jul 23 2020 05:15 AM

Re: Email Alerts on New and Assigned Incidents

@PrashTechTalk If you have the SubscriptionID, Resource Group name, Workspace ID (not the name), and the Alert ID you can call the "Get Incident" action from the Azure Sentinel connector to get the URL.  It doesn't return it directly but it returns the information needed to get it.

0 Likes
Reply
PrashTechTalk

‎Jul 23 2020 06:05 AM

‎Jul 23 2020 06:05 AM

Re: Email Alerts on New and Assigned Incidents

@Gary Bushey Thanks for your response.  I am using Get Incident to get all incident details but that does not provide full incident url nor does it give incident object id needed to form this URL.  Either this is a feature enhancement to include incident object id or give a full incident url.  I do not see any proprieties giving these details.. pls correct me if i am wrong and that any of the property related to incident can give this value. 

 

 

0 Likes
Reply
Gary Bushey

‎Jul 23 2020 01:00 PM

‎Jul 23 2020 01:00 PM

Re: Email Alerts on New and Assigned Incidents

@PrashTechTalk Yeah, you would need to extract that from the Body.  Not sure why everything isn't exposed ;)  The good news is there is a private preview that will help alleviate this issue and it should be released soon.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Stefanie Cortese (Copper Contributor)
CliveWatson

‎Feb 07 2020 03:38 AM

‎Feb 07 2020 03:38 AM

Solution

Re: Email Alerts on New and Assigned Incidents

@Stefanie Cortese 

 

For Question 1, you could:

 

1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook.   You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9.  This is my preferred option.


You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only. 
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence"). 
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).

sample logic, you may need different filtering or data displayed.

SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"  
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
 
 
 

 



View solution in original post

0 Likes
Reply