Jun 10 2020 07:39 AM
I have seen a few people ask how to get the Incident URL to show up in an email when calling a playbook. I was able to get this working by manually constructing the URL. I would consider this more of a workaround, the URL format could change at any time on Microsoft's end.
Essentially, what we are doing is adding the Incident ID onto the base URL: https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/
Within your logicapp it will look similar to this:
JSON Schema:
{
"properties": {
"etag": {
"type": "string"
},
"id": {
"type": "string"
},
"kind": {},
"name": {
"type": "string"
},
"properties": {
"properties": {
"AssignedTo": {},
"CaseNumber": {
"type": "integer"
},
"CloseReason": {},
"ClosedReasonText": {},
"CreatedTimeUtc": {
"type": "string"
},
"Description": {
"type": "string"
},
"EndTimeUtc": {
"type": "string"
},
"FirstAlertTimeGenerated": {
"type": "string"
},
"Labels": {
"type": "array"
},
"LastAlertTimeGenerated": {
"type": "string"
},
"LastUpdatedTimeUtc": {
"type": "string"
},
"Metrics": {
"properties": {
"SecurityAlert": {
"type": "integer"
}
},
"type": "object"
},
"RelatedAlertIds": {
"items": {
"type": "string"
},
"type": "array"
},
"Severity": {
"type": "string"
},
"StartTimeUtc": {
"type": "string"
},
"Status": {
"type": "string"
},
"Title": {
"type": "string"
}
},
"type": "object"
},
"tags": {},
"type": {
"type": "string"
}
},
"type": "object"
}
Jun 10 2020 07:53 AM
@mperrotta This is great. Nice job!
I also have a KQL query that parses it out of AzureActivity:
https://github.com/rod-trent/SentinelKQL/blob/master/SentinelIncidentURLs-%20ALL.txt
Jun 14 2020 11:46 PM
@mperrotta : Great workaround!
Note that the incident URL is available through the API (see here) and should not be very hard to call from Logic Apps. We have also started private preview for triggering Playbooks on incident creation, which will provide easier access to incident details, including the URL.