Notification of Incident Assignment

%3CLINGO-SUB%20id%3D%22lingo-sub-2047329%22%20slang%3D%22en-US%22%3ENotification%20of%20Incident%20Assignment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2047329%22%20slang%3D%22en-US%22%3E%3CP%3ETwo%20Questions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20When%20you%20assign%20a%20ticket%20to%20an%20individual%20from%20the%20Sentinel%20Incidents%20-%20Is%20there%20any%20inbuilt%20notification%20features%20or%20do%20most%20people%20do%20this%26nbsp%3B%20through%20Playbooks%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Is%20there%20a%20document%20reference%20architecture%20for%20Incident%20Management%20in%20Azure%20Sentinel%3F%20For%20example%2C%20we%20would%20like%20to%20use%20native%20microsoft%20tooling%20(Boards%2Cetc)%20vs.%20External%20ticketing%20flows.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2048304%22%20slang%3D%22en-US%22%3ERe%3A%20Notification%20of%20Incident%20Assignment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2048304%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F581611%22%20target%3D%22_blank%22%3E%40Saif_Rahman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20easiest%20way%20to%20do%20this%20is%20to%20set%20up%20a%20Logic%20App%20that%20runs%20on%20a%20schedule%20(every%20few%20minutes)%20and%20runs%20a%20query%20against%20the%20SecurityIncident%20table%3B%20have%20it%20look%20for%20a%20%22recently%20modified%22%20timestamp%20and%20new%20assignment%3B%20the%20result%20can%20then%20be%20e-mailed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22Incident%22%20tooling%20itself%20is%20fairly%20minimal%20but%20seems%20to%20be%20growing%20as%20a%20workflow.%20I'm%20a%20big%20fan%20of%20tailoring%20workflows%20for%20the%20business%20and%20what%20makes%20the%20most%20sense%20for%20the%20SOC%2Fanalysts%20working%20the%20incident.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Two Questions:

 

1. When you assign a ticket to an individual from the Sentinel Incidents - Is there any inbuilt notification features or do most people do this  through Playbooks?

 

2. Is there a document reference architecture for Incident Management in Azure Sentinel? For example, we would like to use native microsoft tooling (Boards,etc) vs. External ticketing flows.



 

 

4 Replies

@Saif_Rahman 

 

The easiest way to do this is to set up a Logic App that runs on a schedule (every few minutes) and runs a query against the SecurityIncident table; have it look for a "recently modified" timestamp and new assignment; the result can then be e-mailed.

 

The "Incident" tooling itself is fairly minimal but seems to be growing as a workflow. I'm a big fan of tailoring workflows for the business and what makes the most sense for the SOC/analysts working the incident.

@Saif_Rahman If you have a NDA with Microsoft, see about joining the Azure Sentinel private previews.  There is one there that would of interest to you regarding this issue.

We have a NDA in place - which one is this? @Gary Bushey 

@Saif_Rahman Not sure I am allowed to say as it is a private preview.   But if you join there will be a listing of all the private previews and there will definitely be one that will stand out :)