Forum Discussion
Solved
Automating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further.
I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers.
Is what I am trying to do feasible, and if so, am I going about it the right way?
Any advice appreciated.
You will need to use the Playbook to extract the Entity details, and the email for the user, you can then pass that to the "Send an Email" step or use IdentityInfo which has the manager details (assuming you have UEBA enabled), so once you have the user, you can lookup the manager
IdentityInfo
| where AccountUPN == "< insert name >"
| project AccountName, ManagerSupported triggers and actions in Microsoft Sentinel playbooks | Microsoft Learn
Please can you send this KQL query that you're using?
Sure, we wanted to be alerted if any label that was Confidential or higher was downgraded.
Here is the query we are using, you just need to substitute your own label's and corresponding GUID's.
let labelsMap = parse_json('{' '"<Label GUID>": "Public",' '"<Label GUID>": "Internal",' '"<Label GUID>": "Confidential",' '"<Label GUID>": "Highly Confidential",' '}'); MicrosoftPurviewInformationProtection | where LabelEventType == "LabelDowngraded" | extend NewSensitivityLabelName = iif(isnotempty(SensitivityLabelId), tostring(labelsMap[tostring(SensitivityLabelId)]), "") | extend OldSensitivityLabelName = iif(isnotempty(OldSensitivityLabelId), tostring(labelsMap[tostring(OldSensitivityLabelId)]), "") | where OldSensitivityLabelName contains "Confidential" | extend Object = url_decode(ObjectId) | extend FileName = extract(@'.*[\\\/](.*)$', 1, Object) | project TimeGenerated, UserId, FileName, OldSensitivityLabelName, NewSensitivityLabelName, JustificationText
You will need to use the Playbook to extract the Entity details, and the email for the user, you can then pass that to the "Send an Email" step or use IdentityInfo which has the manager details (assuming you have UEBA enabled), so once you have the user, you can lookup the manager
IdentityInfo
| where AccountUPN == "< insert name >"
| project AccountName, ManagerSupported triggers and actions in Microsoft Sentinel playbooks | Microsoft Learn
Hi Clive_Watson thanks for your reply, that looks like exactly what I need, and my query is already setup to use the IdentityInfo table to get the manager attribute.
Unfortunately, I cannot find the Select Entities action. Its not under any of the obvious ones in the screenshot, like Data Operations either. Is there something missing from my Sentinel instance?
Hi, Type "Sentinel" --> then press "see more", you should have all the Sentinel actions listed
then you get this screen
