Forum Discussion
Solved
Automating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD at...
You will need to use the Playbook to extract the Entity details, and the email for the user, you can then pass that to the "Send an Email" step or use IdentityInfo which has the manager details (assuming you have UEBA enabled), so once you have the user, you can lookup the manager
IdentityInfo
| where AccountUPN == "< insert name >"
| project AccountName, ManagerSupported triggers and actions in Microsoft Sentinel playbooks | Microsoft Learn
You will need to use the Playbook to extract the Entity details, and the email for the user, you can then pass that to the "Send an Email" step or use IdentityInfo which has the manager details (assuming you have UEBA enabled), so once you have the user, you can lookup the manager
IdentityInfo
| where AccountUPN == "< insert name >"
| project AccountName, Manager
Supported triggers and actions in Microsoft Sentinel playbooks | Microsoft Learn
Hi Clive_Watson thanks for your reply, that looks like exactly what I need, and my query is already setup to use the IdentityInfo table to get the manager attribute.
Unfortunately, I cannot find the Select Entities action. Its not under any of the obvious ones in the screenshot, like Data Operations either. Is there something missing from my Sentinel instance?
Hi, Type "Sentinel" --> then press "see more", you should have all the Sentinel actions listed
then you get this screen
Thanks Clive_Watson I did see that entry but because it didnt match what you had on your screen I didnt select it.
Unfortunately, I have the same issue with the email action, under Outlook 365, I don't have "Send an email with incident details".
