Would you like to have an email notification show up daily in your inbox (or your security team’s share inbox) with a list of the Incidents created while you were sleeping?
Here’s a Logic App that is ready to fully deploy to your environment that delivers at 7am each morning and includes the list of Incidents created since last checked.
The email includes time the incident was created, the title, description, severity, and URL that links directly to the incident. This is a huge timesaver for those security teams that need to get a quick handle on the daily workload first thing each morning.
Here’s a quick walkthrough of the logic:
The query looks like the following:
SecurityIncident | where TimeGenerated > ago(1d) | where Status == "New" | project TimeGenerated, Title, Description, Severity, IncidentUrl
The most current version of this query will always be available from my GitHub repo: https://cda.ms/4c6
The Logic App ready to fully deploy to Azure and is available here: https://cda.ms/4c5
One other thing you might want to do is to limit what is returned in the email by Incident severity. For example, you may want to be notified only about High severity Incidents. In that case add | where Severity == “High” to the query. Or maybe you want to see everything by Informational severity. Then insert something like | where Severity != “Informational”.
Not yet a student of KQL (the language used for Microsoft Sentinel queries)? Check out the Must Learn KQL series: https://aka.ms/MustLearnKQL
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]