Forum Discussion
Solved
Email Alerts on New and Assigned Incidents
This is probably something simple but I would like to set-up the following:
1) Email alerts any time a new incident is auto generated
2) Email alert any time an incident is assigned
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).sample logic, you may need different filtering or data displayed.
SecurityAlert //| where TimeGenerated > ago(1h) | where ProductName == "Azure Sentinel" | where AlertSeverity !="Informational" | project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId
- CliveWatson
Microsoft
For Question 1, you could:
1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook. You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9. This is my preferred option.
You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only.
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence").
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).sample logic, you may need different filtering or data displayed.
SecurityAlert //| where TimeGenerated > ago(1h) | where ProductName == "Azure Sentinel" | where AlertSeverity !="Informational" | project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertIdCliveWatson Can you please explain more on how to write a Logic App with recurrence to get the alerts from sentinel ?
- CliveWatson
This was a blog I wrote (but didn't post); hopefully it will help https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/04/27/azure-sentinel-adding-the-query-data-to-an-alert-in-a-playbook/
The only problem with the solution you propose is that AlertName etc are not aggregate to the sample rules that catches all the Azure Sentinel Alert.
- CliveWatson
The above was for Scheduled rules not "Incident creation rules". Is that what you mean?
Stefanie Cortese Sadly, not as simple as you would think.
1) This can be done using a Playbook EXCEPT that you can only assign Playbooks to Scheduled Analytic rules so an alert generated from ML or a Microsoft incident creation (the alerts that get generated from the other Azure security services like MCAS) will not automatically send the Email. You can go to the incident's Full Details page and under the Alerts tab, select and run the Playbook but it is not automatic. There is a request for this in the UserVoice for Sentinel, https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/39058018-create-a-logic-app-trigger-when-an-azure-sentinel
If you want to vote for it.
2) There is currently no Playbook connector that will get kicked off when an Incident is updated. I thought there was an entry in UserVoice for this as well but I did not find it.
