Receive an Email Notification Each Morning with the List of Daily Microsoft Sentinel Incidents Created

Would you like to have an email notification show up daily in your inbox (or your security team’s share inbox) with a list of the Incidents created while you were sleeping?

Here’s a Logic App that is ready to fully deploy to your environment that delivers at 7am each morning and includes the list of Incidents created since last checked.

The email includes time the incident was created, the title, description, severity, and URL that links directly to the incident. This is a huge timesaver for those security teams that need to get a quick handle on the daily workload first thing each morning.

Daily New Incidents Email

Here’s a quick walkthrough of the logic:

Step 1: Recurrence Trigger – set for 7am every day
Step 2: Run query against the Microsoft Sentinel Log Analytics workspace (query below) and create an HTML table
Step 3: Send the email and include the HTML table created in Step 2

The query looks like the following:

SecurityIncident
| where TimeGenerated > ago(1d) 
| where Status == "New"
| project TimeGenerated, Title, Description, Severity, IncidentUrl

The most current version of this query will always be available from my GitHub repo: https://cda.ms/4c6

The Logic App ready to fully deploy to Azure and is available here: https://cda.ms/4c5

One other thing you might want to do is to limit what is returned in the email by Incident severity. For example, you may want to be notified only about High severity Incidents. In that case add | where Severity == “High” to the query. Or maybe you want to see everything by Informational severity. Then insert something like | where Severity != “Informational”.

Not yet a student of KQL (the language used for Microsoft Sentinel queries)? Check out the Must Learn KQL series: https://aka.ms/MustLearnKQL

The deployment template for this Playbook was created using Sreedhar’s Playbook Template Generator and using Logic App Parameters for the variables.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Author