How can the incident information be accessed inside Azure Sentinel ?

Occasional Contributor

Hello,

Since triggering a playbook from external incident creations does not work, i figured i might schedule a playbook to get the new incidents, act on the contents and set the state of the incidents.

I cannot access the incidents from Azure Sentinel playbook connectors.

How to proceed?

 

4 Replies

@Gary Bushey : 

Hello Gary,

thanks for the link. Actually I tried that one before I wrote the post here.

What I have in mind is the following:

A Logic App that is scheduled to loop through recent incidents and act on some of them (depending on type) with actions like sending eMail and then changing the state of the incident.

Scheduled, because AFAIK triggering is not available for externally (e.g. Azure AD IP)  created incidents.

 

I am under the impression, that I cannot do this via the API and I have no idea how to schedule powershellscripts...

@sirferl 

1) You can create a Incident (AKA case) using the REST API so you should be able to update (I have not tried this but will soon).  The example listed at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

may help

 

2) Inside a Logic App you can schedule the trigger to run on an interview so you can use that to run your PowerShell command every so often (or make an Azure Function would probably be better)

@Gary Bushey : thank you for the recommendations. I will try that.