Feb 06 2020 07:33 AM
This is probably something simple but I would like to set-up the following:
1) Email alerts any time a new incident is auto generated
2) Email alert any time an incident is assigned
Feb 07 2020 03:34 AM
@Stefanie Cortese Sadly, not as simple as you would think.
1) This can be done using a Playbook EXCEPT that you can only assign Playbooks to Scheduled Analytic rules so an alert generated from ML or a Microsoft incident creation (the alerts that get generated from the other Azure security services like MCAS) will not automatically send the Email. You can go to the incident's Full Details page and under the Alerts tab, select and run the Playbook but it is not automatic. There is a request for this in the UserVoice for Sentinel, https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/39058018-create-a-logic-app-trig...
If you want to vote for it.
2) There is currently no Playbook connector that will get kicked off when an Incident is updated. I thought there was an entry in UserVoice for this as well but I did not find it.
Feb 07 2020 03:38 AM
Solution
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).
sample logic, you may need different filtering or data displayed.
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
Apr 24 2020 06:14 AM
The only problem with the solution you propose is that AlertName etc are not aggregate to the sample rules that catches all the Azure Sentinel Alert.
Apr 24 2020 06:29 AM
The above was for Scheduled rules not "Incident creation rules". Is that what you mean?
Apr 24 2020 06:35 AM - edited Apr 24 2020 06:40 AM
No i was talking about Scheduled queries too. If i run a Scheduled query rule For example name TEST with the query sent:
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
In the email alert i will get always "TEST" as an AlertName, the rule name and not the underlying "Azure Sentinel" alert names. I don't know if there is a way to aggregate the Real Name and pass it to the email alert for e.g. Is it ?
Apr 24 2020 07:57 AM
What do you think is the 'real name'? If you run this, do you see a Column that matches the 'real name'? Can you send a screenshot of the column / field you mean please?
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
Apr 24 2020 10:49 AM - edited Apr 24 2020 11:34 AM
Sent you a PM
Apr 27 2020 03:55 AM
@CliveWatson Can you please explain more on how to write a Logic App with recurrence to get the alerts from sentinel ?
Apr 27 2020 07:29 AM
This was a blog I wrote (but didn't post); hopefully it will help https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/04/27/azure-sentinel-adding...
Jul 23 2020 04:26 AM
@CliveWatson - Is there a way on how to fetch full sentinel incident URL (not the entities url) at the logic apps to send it in an email or push incident details to a incident management tool.
I am trying to compose it manually as couldn't get the full incident URL but again unable to get he incident object id to amend in the URL. How can i achieve this ? Appreciate your response.
https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxx/reso...<?? Incident Object ID ??>
Jul 23 2020 05:15 AM
@PrashTechTalk If you have the SubscriptionID, Resource Group name, Workspace ID (not the name), and the Alert ID you can call the "Get Incident" action from the Azure Sentinel connector to get the URL. It doesn't return it directly but it returns the information needed to get it.
Jul 23 2020 06:05 AM
@Gary Bushey Thanks for your response. I am using Get Incident to get all incident details but that does not provide full incident url nor does it give incident object id needed to form this URL. Either this is a feature enhancement to include incident object id or give a full incident url. I do not see any proprieties giving these details.. pls correct me if i am wrong and that any of the property related to incident can give this value.
Jul 23 2020 01:00 PM
@PrashTechTalk Yeah, you would need to extract that from the Body. Not sure why everything isn't exposed 😉 The good news is there is a private preview that will help alleviate this issue and it should be released soon.
Feb 07 2020 03:38 AM
Solution
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).
sample logic, you may need different filtering or data displayed.
SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId