Jan 10 2021 03:53 PM
Two Questions:
1. When you assign a ticket to an individual from the Sentinel Incidents - Is there any inbuilt notification features or do most people do this through Playbooks?
2. Is there a document reference architecture for Incident Management in Azure Sentinel? For example, we would like to use native microsoft tooling (Boards,etc) vs. External ticketing flows.
Jan 11 2021 02:39 AM
The easiest way to do this is to set up a Logic App that runs on a schedule (every few minutes) and runs a query against the SecurityIncident table; have it look for a "recently modified" timestamp and new assignment; the result can then be e-mailed.
The "Incident" tooling itself is fairly minimal but seems to be growing as a workflow. I'm a big fan of tailoring workflows for the business and what makes the most sense for the SOC/analysts working the incident.
Jan 11 2021 04:47 AM
@Saif_Rahman If you have a NDA with Microsoft, see about joining the Azure Sentinel private previews. There is one there that would of interest to you regarding this issue.
Jan 11 2021 08:18 AM
We have a NDA in place - which one is this? @Gary Bushey
Jan 11 2021 09:06 AM
@Saif_Rahman Not sure I am allowed to say as it is a private preview. But if you join there will be a listing of all the private previews and there will definitely be one that will stand out :)