Sentinel Automation Requirements

Copper Contributor

Hi Team,

Please help to checking feasibility for the following use case:

    • Create an automation to email users when their failed logins exceed a specific threshold (using SecurityEvent log). Please note that we want the automation to be based off of security alerts, not incidents.
    • After the user responded saying that they didn’t attempt to log in, or if we don’t hear back from them for a specific period, then we’ll generate an incident in Sentinel
3 Replies

Hi @Bhavini,

 

the oversimplified answer would be:

  1. Build the analytics query (KQL) matching your requirements with regards to failed logins.
  2. Create an analytics rule in order to create an alert, based on your analytic.
  3. Create a playbook based on your analytic rule, which will incorporate adaptive cards for Teams.
  4. User will receive a Teams notification/card where she/he will have to confirm activity.
  5. Upon response, playbook will either create an incident, or close the alert.

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

@cyb3rmik3 How can we create 5th step. Could you please guide?

@Bhavini hey, there are no pre-defined options under Sentinel in playbooks for this, so I guess Graph API is the best way to build this.