Receive an Email Notification Each Morning with the List of Daily Microsoft Sentinel Incidents Created
Inbox workout
Would you like to have an email notification show up daily in your inbox (or your security team’s share inbox) with a list of the Incidents created while you were sleeping?
Here’s a Logic App that is ready to fully deploy to your environment that delivers at 7am each morning and includes the list of Incidents created since last checked.
The email includes time the incident was created, the title, description, severity, and URL that links directly to the incident. This is a huge timesaver for those security teams that need to get a quick handle on the daily workload first thing each morning.
Here’s a quick walkthrough of the logic:
The query looks like the following:
SecurityIncident
| where TimeGenerated > ago(1d)
| where Status == "New"
| project TimeGenerated, Title, Description, Severity, IncidentUrlThe Logic App ready to fully deploy to Azure and is available here: https://rodtrent.com/z2t
One other thing you might want to do is to limit what is returned in the email by Incident severity. For example, you may want to be notified only about High severity Incidents. In that case add | where Severity == “High” to the query. Or maybe you want to see everything by Informational severity. Then insert something like | where Severity != “Informational”.
Not yet a student of KQL (the language used for Microsoft Sentinel queries)? Check out the Must Learn KQL series: https://aka.ms/MustLearnKQL
The deployment template for this Playbook was created using Sreedhar’s Playbook Template Generator and using Logic App Parameters for the variables.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]