Enrich Sentinel Incident Emails

Iron Contributor

Hey there,

I've posted here on this topic before when I didn't even know where to start - (https://techcommunity.microsoft.com/t5/microsoft-sentinel/include-additional-entities-detail-in-emai...). The guidance I got was great and I headed off to explore my options. Since then I've been sidetracked several times and I'm just getting back into this process.


The Problem

I use an automation rule to run the "send-email-with-formatted-incident-report" playbook every time an incident is created. Among the details included in the report are the entities associated with the incident. For some incidents, like "Explicit MFA Deny", the entities give enough detail to work with; that incident includes the account as a friendly name and the IP address. With most incidents, the entities don't provide enough details or the right details. The most common issue is that the account is shown as an object id.


Attemped Resolutions

So I tried to extend the playbook by doing a KQL query against the SigninLogs table. If I query the table directly, I am able to find the UserName and/or UPN. When I added this query into the playbook, the first issue I had was that most alerts include multiple entities and the query would fail when it ran into the wrong entity type. So I tried adding a new step, "Entities - Get Accounts" so the individual entity would be available in the workflow. But this fails because it's expecting a text string and the object ID is the wrong type.


Am I approaching this the wrong way? Do I need to build separate playbooks for various alert sources? Or am I missing something with the process of acquiring the entities in the playbook?







3 Replies




Did you try passing the entitles through a For Each?  This is a simple example:





This was fantastic! Thank you very much. I made a bunch of progress since you responded. For a lot of the alerts we get this works perfectly but only if the accounts that I'm acquiring have the friendly name by default. With some alerts, like Atypical Travel, the accounts show as an object ID and those don't show if I use "Entities - Get Accounts". And I don't see anything that allows me to extract the account entities if they're object IDs. Thoughts?

Typically you will have two choices.

1. You need to either enrich the original alert so that its looks up the Account for Object ID or run a totally custom rule to do that
2. You need to run a query within the playbook to do the same lookup and match as a step before get-entities

A third choice is to call a custom rule