Notification of Incident Assignment

Occasional Contributor

Two Questions:


1. When you assign a ticket to an individual from the Sentinel Incidents - Is there any inbuilt notification features or do most people do this  through Playbooks?


2. Is there a document reference architecture for Incident Management in Azure Sentinel? For example, we would like to use native microsoft tooling (Boards,etc) vs. External ticketing flows.



4 Replies



The easiest way to do this is to set up a Logic App that runs on a schedule (every few minutes) and runs a query against the SecurityIncident table; have it look for a "recently modified" timestamp and new assignment; the result can then be e-mailed.


The "Incident" tooling itself is fairly minimal but seems to be growing as a workflow. I'm a big fan of tailoring workflows for the business and what makes the most sense for the SOC/analysts working the incident.

@Saif_Rahman If you have a NDA with Microsoft, see about joining the Azure Sentinel private previews.  There is one there that would of interest to you regarding this issue.

We have a NDA in place - which one is this? @Gary Bushey 

@Saif_Rahman Not sure I am allowed to say as it is a private preview.   But if you join there will be a listing of all the private previews and there will definitely be one that will stand out :)