Sentinel Email Notification Logic App

Azure Sentinel feature development is progressing at a rapid pace. Currently there is no option to setup an email subscription for all Sentinel incidents. Though I expect more tooling around email notifications in the near future. In the meantime, the following Logic App is a simple way to setup a global email subscription for Sentinel incidents.

Current State:

Most of the connected solutions like Azure Security Center have email notification options for alerts. Clearly if you are gathering alerts into a single pane of glass you want to manage email notifications at the parent level.

You do have the option to link one logic app to each scheduled analytic rule in Sentinel. This could trigger an email. There are additional rule-types that do not have this option and you probably want to reserve that slot for automation.

There are currently two Logic App triggers for Sentinel:

  1. When a response to an Azure Sentinel alert is triggered (preview)
  2. When Azure Sentinel incident creation rule was triggered (private preview only)

The first trigger is executed automatically when linked to a scheduled analytics rule and can be manually triggers from the incident details view. The second option (which may not be visible) is in private preview. This second option will apparently be able to trigger in response to any new Incident.

Monitoring the Sentinel Incident Queue

There are several ways to monitor the Sentinel queue. A recent update began exposing Sentinel Incidents to the SecurityIncident table.

There are several ways to read that table including the Azure Sentinel Management API, Log Analytics API, or even the Azure Data Explorer API.

From a Logic App perspective, you could use an HTTP connector with an API, there is a ADX query activity, and an Azure Monitor Logs activity. This solution will use the Azure Monitor Logs activity.

Creating the Logic App:

This Logic App will not be available for download because it is so simple to setup.

STEP1: Create and test a scheduled query. Set the interval and query filters to your desired requirements.

STEP 2: Save and run the Logic App to validate your returned results.

STEP 3: Add the O365 email activity.

Authenticate to O365 and begin formatting the email. Start by emailing yourself for testing. Note that your data will be automatically parsed and will be listed as dynamic content. Click the “See more” button if the view is blank.

Step 4: Add any of the dynamic values to the Subject. For example, Title. This will automatically reformat the activity as a For Each loop (seen below).

STEP 5: Format the email to meet your specific requirements.

This sends a unique email for each new Sentinel alert on an hourly basis.

Advanced Options

  • Consider filtering the query further to limit severity.
  • If you want a summary email, experiment with the Azure Monitor Logs Query Visualization activity.
  • If you want admins to be able to close or comment on incidents directly from email, try the email approval activity for O365.
  • Explore the many Sentinel logic app activities for more advanced automation like closing, updating, and bookmarking incidents.
  • If you are planning to setup ITSM integration, this can be a great way to gather Sentinel incidents for sending to an ITSM connector or API.