SOLVED

Email Alerts on New and Assigned Incidents

%3CLINGO-SUB%20id%3D%22lingo-sub-1155869%22%20slang%3D%22en-US%22%3EEmail%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1155869%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20probably%20something%20simple%20but%20I%20would%20like%20to%20set-up%20the%20following%3A%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Email%20alerts%20any%20time%20a%20new%20incident%20is%20auto%20generated%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Email%20alert%20any%20time%20an%20incident%20is%20assigned%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1158129%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158129%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F154924%22%20target%3D%22_blank%22%3E%40Stefanie%20Cortese%3C%2FA%3E%26nbsp%3BSadly%2C%20not%20as%20simple%20as%20you%20would%20think.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20This%20can%20be%20done%20using%20a%20Playbook%20EXCEPT%20that%20you%20can%20only%20assign%20Playbooks%20to%20Scheduled%20Analytic%20rules%20so%20an%20alert%20generated%20from%20ML%20or%20a%20Microsoft%20incident%20creation%20(the%20alerts%20that%20get%20generated%20from%20the%20other%20Azure%20security%20services%20like%20MCAS)%20will%20not%20automatically%20send%20the%20Email.%26nbsp%3B%20You%20can%20go%20to%20the%20incident's%20Full%20Details%20page%20and%20under%20the%20Alerts%20tab%2C%20select%20and%20run%20the%20Playbook%20but%20it%20is%20not%20automatic.%20There%20is%20a%20request%20for%20this%20in%20the%20UserVoice%20for%20Sentinel%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F39058018-create-a-logic-app-trigger-when-an-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F39058018-create-a-logic-app-trigger-when-an-azure-sentinel%20%3C%2FA%3E%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20vote%20for%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20There%20is%20currently%20no%20Playbook%20connector%20that%20will%20get%20kicked%20off%20when%20an%20Incident%20is%20updated.%20I%20thought%20there%20was%20an%20entry%20in%20UserVoice%20for%20this%20as%20well%20but%20I%20did%20not%20find%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1158143%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158143%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F154924%22%20target%3D%22_blank%22%3E%40Stefanie%20Cortese%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Question%201%2C%20you%20could%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Assign%20a%20Playbook%20that%20sends%20an%20email%2C%20to%20all%20your%20Alerts%2FRules%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-respond-threats-playbook%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-respond-threats-playbook.%20%3C%2FA%3E%26nbsp%3B%20You%20just%20need%20these%20two%20steps%20%22When%20a%20trigger..%22%20and%20%22Send%20approval%20email%22%20%2C%20from%20the%20diagram%20in%20step%209.%26nbsp%3B%20This%20is%20my%20preferred%20option.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EYou%20could%20instead%20create%20a%20new%20Alert%20in%20Sentinel%20that%20runs%20(every%205mins%2C%20which%20is%20the%20shortest%20interval)%2C%20using%20logic%20like%20this%20below%20(just%20a%20sample%2C%20which%20you%20need%20to%20check)%2C%20then%20attach%20the%20%22send%20email%22%20playbook%20to%20that%20Alert%20only.%26nbsp%3B%20%3CBR%20%2F%3EA%20variation%20would%20be%20to%20do%20this%20in%20all%20in%20a%20Playbook%2C%20with%20the%20trigger%20being%20a%20scheduled%20event%20(search%20for%20%22Recurrence%22).%26nbsp%3B%20%3CBR%20%2F%3EHowever%20please%20note%2C%20there%20is%20a%20cost%20for%20executing%20a%20playbook%20(if%20you%20wanted%20it%20once%20per%20second%2C%20that%20will%20add%20up!).%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3Esample%20logic%2C%20you%20may%20need%20different%20filtering%20or%20data%20displayed.%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ESecurityAlert%0A%2F%2F%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1h)%0A%7C%20where%20ProductName%20%3D%3D%20%22Azure%20Sentinel%22%20%20%0A%7C%20where%20AlertSeverity%20!%3D%22Informational%22%0A%7C%20project%20ProductName%20%2C%20AlertSeverity%20%2C%20IsIncident%20%2C%20AlertName%20%2C%20SystemAlertId%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CDIV%20id%3D%22tinyMceEditorClive%20Watson_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorClive%20Watson_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorClive%20Watson_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335564%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335564%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20problem%20with%20the%20solution%20you%20propose%20is%20that%20AlertName%20etc%20are%20not%20aggregate%20to%20the%20sample%20rules%20that%20catches%20all%20the%20Azure%20Sentinel%20Alert.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335602%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335602%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634199%22%20target%3D%22_blank%22%3E%40akefallonitis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20above%20was%20for%20Scheduled%20rules%20not%20%22Incident%20creation%20rules%22.%26nbsp%3B%20Is%20that%20what%20you%20mean%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-04-24%20142742.jpg%22%20style%3D%22width%3A%20727px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F186478i5189F9A5D8A657A5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-04-24%20142742.jpg%22%20alt%3D%22Annotation%202020-04-24%20142742.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335619%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335619%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20i%20was%20talking%20about%20Scheduled%20queries%20too.%20If%20i%20run%20a%20Scheduled%20query%20rule%20For%20example%20name%20%3CSTRONG%3ETEST%3C%2FSTRONG%3E%20with%20the%20query%20sent%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurityAlert%3CBR%20%2F%3E%2F%2F%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1h)%3CBR%20%2F%3E%7C%20where%20ProductName%20%3D%3D%20%22Azure%20Sentinel%22%3CBR%20%2F%3E%7C%20where%20AlertSeverity%20!%3D%22Informational%22%3CBR%20%2F%3E%7C%20project%20ProductName%20%2C%20AlertSeverity%20%2C%20IsIncident%20%2C%20AlertName%20%2C%20SystemAlertId%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIn%20the%20email%20alert%20i%20will%20get%20always%20%22%3CSTRONG%3ETEST%3C%2FSTRONG%3E%22%20as%20an%20AlertName%2C%20the%20rule%20name%20and%20not%20the%20underlying%20%22Azure%20Sentinel%22%20alert%20names.%20I%20don't%20know%20if%20there%20is%20a%20way%20to%20aggregate%20the%20Real%20Name%20and%20pass%20it%20to%20the%20email%20alert%20for%20e.g.%20Is%20it%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335821%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335821%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634199%22%20target%3D%22_blank%22%3E%40akefallonitis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20do%20you%20think%20is%20the%20'real%20name'%3F%26nbsp%3B%20If%20you%20run%20this%2C%20do%20you%20see%20a%20Column%20that%20matches%20the%20'real%20name'%3F%26nbsp%3B%20Can%20you%20send%20a%20screenshot%20of%20the%20column%20%2F%20field%20you%20mean%20please%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3ESecurityAlert%0A%2F%2F%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1h)%0A%7C%20where%20ProductName%20%3D%3D%20%22Azure%20Sentinel%22%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1336262%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1336262%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3ESent%20you%20a%20PM%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340133%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340133%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20Can%20you%20please%20explain%20more%20on%20how%20to%20write%20a%20Logic%20App%20with%20recurrence%20to%20get%20the%20alerts%20from%20sentinel%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340653%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340653%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634199%22%20target%3D%22_blank%22%3E%40akefallonitis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20was%20a%20blog%20I%20wrote%20(but%20didn't%20post)%3B%20hopefully%20it%20will%20help%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Findustry-blog%2Fen-gb%2Fcross-industry%2F2020%2F04%2F27%2Fazure-sentinel-adding-the-query-data-to-an-alert-in-a-playbook%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Findustry-blog%2Fen-gb%2Fcross-industry%2F2020%2F04%2F27%2Fazure-sentinel-adding-the-query-data-to-an-alert-in-a-playbook%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1540798%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1540798%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%20Is%20there%20a%20way%20on%20how%20to%20fetch%20full%20sentinel%20incident%20URL%20(not%20the%20entities%20url)%20at%20the%20logic%20apps%20to%20send%20it%20in%20an%20email%20or%20push%20incident%20details%20to%20a%20incident%20management%20tool.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20compose%20it%20manually%20as%20couldn't%20get%20the%20full%20incident%20URL%20but%20again%20unable%20to%20get%20he%20incident%20object%20id%20to%20amend%20in%20the%20URL.%26nbsp%3B%20How%20can%20i%20achieve%20this%20%3F%26nbsp%3B%20%26nbsp%3BAppreciate%20your%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23asset%2FMicrosoft_Azure_Security_Insights%2FIncident%2Fsubscriptions%2Fxxxxxx%2FresourceGroups%2Fxxxxx%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Fxxxxx%2Fproviders%2FMicrosoft.SecurityInsights%2FIncidents%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23asset%2FMicrosoft_Azure_Security_Insights%2FIncident%2Fsubscriptions%2Fxxxxxx%2FresourceGroups%2Fxxxxx%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Fxxxxx%2Fproviders%2FMicrosoft.SecurityInsights%2FIncidents%2F%3C%2FA%3E%3CSTRONG%3E%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1540861%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1540861%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3BIf%20you%20have%20the%20SubscriptionID%2C%20Resource%20Group%20name%2C%20Workspace%20ID%20(not%20the%20name)%2C%20and%20the%20Alert%20ID%20you%20can%20call%20the%20%22Get%20Incident%22%20action%20from%20the%20Azure%20Sentinel%20connector%20to%20get%20the%20URL.%26nbsp%3B%20It%20doesn't%20return%20it%20directly%20but%20it%20returns%20the%20information%20needed%20to%20get%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1540949%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20Alerts%20on%20New%20and%20Assigned%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1540949%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20response.%26nbsp%3B%20I%20am%20using%20Get%20Incident%20to%20get%20all%20incident%20details%20but%20that%20does%20not%20provide%20full%20incident%20url%20nor%20does%20it%20give%20incident%20object%20id%20needed%20to%20form%20this%20URL.%26nbsp%3B%20Either%20this%20is%20a%20feature%20enhancement%20to%20include%20incident%20object%20id%20or%20give%20a%20full%20incident%20url.%26nbsp%3B%20I%20do%20not%20see%20any%20proprieties%20giving%20these%20details..%20pls%20correct%20me%20if%20i%20am%20wrong%20and%20that%20any%20of%20the%20property%20related%20to%20incident%20can%20give%20this%20value.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

This is probably something simple but I would like to set-up the following: 

1) Email alerts any time a new incident is auto generated 

2) Email alert any time an incident is assigned 

 

 

13 Replies

@Stefanie Cortese Sadly, not as simple as you would think.  

 

1) This can be done using a Playbook EXCEPT that you can only assign Playbooks to Scheduled Analytic rules so an alert generated from ML or a Microsoft incident creation (the alerts that get generated from the other Azure security services like MCAS) will not automatically send the Email.  You can go to the incident's Full Details page and under the Alerts tab, select and run the Playbook but it is not automatic. There is a request for this in the UserVoice for Sentinel, https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/39058018-create-a-logic-app-trig...

If you want to vote for it.

 

2) There is currently no Playbook connector that will get kicked off when an Incident is updated. I thought there was an entry in UserVoice for this as well but I did not find it.

 

best response confirmed by Stefanie Cortese (Occasional Contributor)
Solution

@Stefanie Cortese 

 

For Question 1, you could:

 

1. Assign a Playbook that sends an email, to all your Alerts/Rules? https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook.   You just need these two steps "When a trigger.." and "Send approval email" , from the diagram in step 9.  This is my preferred option.


You could instead create a new Alert in Sentinel that runs (every 5mins, which is the shortest interval), using logic like this below (just a sample, which you need to check), then attach the "send email" playbook to that Alert only. 
A variation would be to do this in all in a Playbook, with the trigger being a scheduled event (search for "Recurrence"). 
However please note, there is a cost for executing a playbook (if you wanted it once per second, that will add up!).

sample logic, you may need different filtering or data displayed.

SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"  
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId 
 
 
 

 



@CliveWatson 

 

The only problem with the solution you propose is that AlertName etc are not aggregate to the sample rules that catches all the Azure Sentinel Alert.

@akefallonitis 

 

The above was for Scheduled rules not "Incident creation rules".  Is that what you mean?

 

Annotation 2020-04-24 142742.jpg

@CliveWatson 

 

No i was talking about Scheduled queries too. If i run a Scheduled query rule For example name TEST with the query sent:

 

SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"
| where AlertSeverity !="Informational"
| project ProductName , AlertSeverity , IsIncident , AlertName , SystemAlertId


In the email alert i will get always "TEST" as an AlertName, the rule name and not the underlying "Azure Sentinel" alert names. I don't know if there is a way to aggregate the Real Name and pass it to the email alert for e.g. Is it ?

@akefallonitis 

 

What do you think is the 'real name'?  If you run this, do you see a Column that matches the 'real name'?  Can you send a screenshot of the column / field you mean please?  

 

SecurityAlert
//| where TimeGenerated > ago(1h)
| where ProductName == "Azure Sentinel"

   

@CliveWatson

Sent you a PM

@CliveWatson  Can you please explain more on how to write a Logic App with recurrence to get the alerts from sentinel ?

@CliveWatson -  Is there a way on how to fetch full sentinel incident URL (not the entities url) at the logic apps to send it in an email or push incident details to a incident management tool.

 

I am trying to compose it manually as couldn't get the full incident URL but again unable to get he incident object id to amend in the URL.  How can i achieve this ?   Appreciate your response.

 

https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxx/reso...<?? Incident Object ID ??>

@PrashTechTalk If you have the SubscriptionID, Resource Group name, Workspace ID (not the name), and the Alert ID you can call the "Get Incident" action from the Azure Sentinel connector to get the URL.  It doesn't return it directly but it returns the information needed to get it.

@Gary Bushey Thanks for your response.  I am using Get Incident to get all incident details but that does not provide full incident url nor does it give incident object id needed to form this URL.  Either this is a feature enhancement to include incident object id or give a full incident url.  I do not see any proprieties giving these details.. pls correct me if i am wrong and that any of the property related to incident can give this value. 

 

 

@PrashTechTalk Yeah, you would need to extract that from the Body.  Not sure why everything isn't exposed ;)  The good news is there is a private preview that will help alleviate this issue and it should be released soon.