How to create a Playbook that sends an email to a user involved in an incident?
Hello everybody, I need to configure a Sentinel playbook to send emails to users when an incident is created regarding their account. I have created a playbook that uses Identity Protection incidents creation as trigger but I'm not currently able to set the right parameter to address automatically the alert to the user the incident refers to. I don't need to set an address statically but the playbook has to fetch the user email address from the incident automatically and use it as recipient. Which parameter or expression should I use? I hope you can kindly help me with this. Best regards.
Run query for multiple IP
I am trying to run the query in the logic app for a security incident in sentinel. what I expect this query to do is give the result of multiple IP associated with the incident. SigninLogs |where UserPrincipalName contains "Account Name" and IPaddress =="A list of IPs associated with the alert " and DeviceDetails.isCompliant == True |summarize by UserPrincalName,IPAddress,tostring(DeviceDetail) Error: ExpressionEvaluationFailed. The execution of template action 'For_each_3' failed: the result of the evaluation of 'foreach' expression '@body('Entities_-_Get_IPs')' is of type 'Object'. The result must be a valid array.New Blog Post | How to Query HaveIBeenPwned Using a Microsoft Sentinel Playbook
How to Query HaveIBeenPwned Using a Microsoft Sentinel Playbook - Azure Cloud & AI Domain Blog (azurecloudai.blog) I’ve known Troy Hunt for a number of years and his contributions to the security and privacy industry have been hugely valuable and much appreciated by the masses. HaveIBeenPwned is a great resource developed and maintained by Troy. It provides the ability to query against its database to expose domains or user accounts that have been caught up in any of the number of reported industry data breaches. Wouldn’t it be nice, then, to have this data available for your Microsoft Sentinel investigations? Fortunately, Troy provides an API for his service. I’ve provided a Microsoft Sentinel Playbook that takes email addresses associated with an Incident and submits them through the API and returns a quick note to the Comments tab in the Incident as to whether or not the email address(es) has been compromised. Original Post: New Blog Post | How to Query HaveIBeenPwned Using a Microsoft Sentinel Playbook - Microsoft Tech Community
How to use 'When Azure Sentinel incident creation rule was triggered' trigger in playbook
Hi team I have been wondering can this trigger 'When Azure Sentinel incident creation rule was triggered' be used?? I am unable to select the playbook having this trigger in any alert rule created under Azure Sentinel analytics. Can someone please help me out with this. I just want a playbook to be triggered using this trigger and post the incident details to Slack
RE: Tracking Compliance Status changes for Intune Device(s) with KQL/Playbook
Hello, I am looking to build a Playbook based on Intune and Compliance Status. First I have the following KQL query to check for 'Non-Compliance' status... IntuneDeviceComplianceOrg | where isnotempty(DeviceHealthThreatLevel) | where ComplianceState != "Compliant" | project TimeGenerated, ComplianceState, DeviceName, DeviceId, OS, UserName, UserEmail | summarize arg_max(TimeGenerated, *) by DeviceId Next, I will create an Analytics Rule (using the above query) that with generate an Incident but at the moment will NOT trigger any Automation. Next, I want to 'capture' when an external trigger ((from a remediation action or Azure Policy) changes the 'Compliance' status changes to 'Compliant' for the Intune device. Next, I want to capture in another KQL query the following: - IF an Intune Device HAD the 'Compliance' status of 'Non-Compliance' OVER the last 7 days - ...AND had an Incident created (this is the bit I am struggling with) - <Is there a way to check for Incident creation?> - ...JOIN (or UNION) against SAME Intune Device where the 'Compliance' status has changed to 'Compliant' in the last 24hrs Is there a way to perform a JOIN against the IntuneDeviceComplianceOrg TABLE and I believe the new-ish SecurityIncident TABLE? Next, I want to set the above query against another Analytics Rule, where NO new Incident is generated BUT an Automation 'action' activates a Playbook/Logic App to commit an ACTION to close the 'related' Incident
