playbooks
106 TopicsAutomating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further. I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers. Is what I am trying to do feasible, and if so, am I going about it the right way? Any advice appreciated.Solved185Views0likes7CommentsLogic app to close adminstrative tasks
I am trying to create a logic app that closes adminstrative tasks in sentinel after checking Userprincipalname and IPaddress. It will also check if the userprincipalname exists in a watchlist at the same time. But this didn't seem to work, can i get any help here?228Views0likes1CommentAzure Sentinel - Run Antivirus Scan using Logic App
Hello, I have to integrate antivirus run scan into azure sentinel using playbook (template Run MDE Antivirus - Incident Trigger). According to the prerequisites, I need to grant some permissions using powershell command. "Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App." From the powershell, I enter the following command: $MIGuid = '0fff8f4e-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid I receive the following error message Get-AzureADServicePrincipal: You must call the Connect-AzureAD cmdlet before calling any other cmdlets. Any idea ? PS: I'm not a developper... Regards, HASolved3.2KViews0likes9CommentsHow to Include Custom Details from an Alert in Email Generated by a Playbook
I have created an analytics rule that queries Sentinel for security events pertaining to group membership additions, and triggers an alert for each event found. The rule does not create an incident. Within the rule logic, I have created three "custom details" for specific fields within the event (TargetAccount, MemberName, SubjectAccount). I have also created a corresponding playbook for the purpose of sending an email to me when an alert is triggered. The associated automation rule has been configured and is triggered in the analytics rule. All of this is working as expected - when a member is added to a security group, I receive an email. The one remaining piece is to populate the email message with the custom details that I've identified in the rule. However, I'm not sure how to do this. Essentially, I would like the values of the three custom details shown in the first screenshot below to show up in the body of the email, shown in the second screenshot, next to their corresponding names. So, for example, say Joe Smith is added to the group "Admin" by Tom Jones. These are the fields and values in the event that I want to pull out. TargetAccount = Admin MemberName = Joe Smith Subject Account = Tom Jones The custom details would then be populated as such: Security_Group = Admin Member_Added = Joe Smith Added_By = Tom Jones and then, the body of the email would contain: Group: Admin Member Added: Joe Smith Added By: Tom Jones831Views0likes4CommentsSlack slackbot messages using interactivity for Microsoft Sentinel incident actions
Hi, I am just wondering if anyone has managed to integrate Microsoft Sentinel Incidents with Slack to send slackbot messages using 'interactivity'. Similar to the Sentinel/MS Teams Adaptive Card feature where you get an adaptive card in teams and you can hit buttons with actions such as 'Change Severity', 'Change Status', 'Assign Owner' etc etc. I am wondering if anyone has managed to achieve this same functionality with Slack. The closest I have found is this GitHub repo which uses a Webhook: https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Send-Slack-Message-Webhook/incident-trigger/images/SlackMessage.png I have tried this but to no avail. Any insights would be appreciated,302Views0likes0CommentsTraining Lab Playbook not triggered
Hello ! I am trying to run the playbook Get-GeoFromIPAndTagIncident as per the Modules of the Training Lab provided by Azure Sentinel. I am running this on an incident in the training lab "Sign-ins from IPs that attempt sign-ins to disabled accounts". However, it does not trigger the playbook. I have included the screenshot. I am new to Sentinel and would really be glad if somebody could help. Thanks in anticipation!494Views0likes1CommentI am learning to build Logic Apps working with Sentinel inc
Hello I am learning to build Logic Apps. The tasks will mainly involve querying Log Analytics and writing comments in incidents. How can I do this securely? I understand that I need to add the Sentinel Contributor role for the Logic App, but what next? If I need the Logic App to be able to query, do I need to give it additional access, such as Log Analytics Contributor or Reader? When I want to create a connection,I have three options: OAuth - I see that I log in with my account, and then the Logic App has access to what I have access to. Is this secure? Service Principal - I need to register an application and create a secret for it, then grant this application access to Sentinel. Can I use a single Service Principal for all Logic Apps? I understand that secrets need to be rotated – does this affect my Logic Apps? Will I need to update something to ensure everything works properly? Managed Identity - This only works within the specific Logic App? This seems like the best solution, but I managed to add a new Managed Identity to query Log Analytics, and in the next step, I wanted it to add tasks to an incident in Sentinel, and unfortunately, it didn't work. (However, I changed the last step and added it via OAuth, and it worked, allowing the Logic App to add tasks to the incident in Sentinel.) this is one of example i am working on. https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-SOCTasks/readme.md adding role assignment I would be great if you can share your experiences! thank you369Views0likes1CommentCreate an Incident when an email arrives, Downloading attachment and saving in a blob storage
I'm working on a Logic App in Azure Sentinel designed to automatically create incidents whenever an email arrives with a specific subject line. However, I'm encountering an error when trying to create the incident. code: 400, Could you please advise on what might be causing this error and how I can troubleshoot it? Thanks in advance for your assistance!Solved649Views0likes3Comments