Currently there is not any built-in functionality that notifies you via email if there is an incident that is generated in Azure Sentinel. Checking Azure Sentinel every time wouldn’t be an idea while working with email is simply a habit.
In this article, I’d like to share with you a step-by-step guidance on how to set up an Azure Logic App playbook to send incident information to your email.
Perform the following steps to complete the setup:
Step 1: Go to Azure Sentinel > Playbook.
Step 2: click Add Playbook.
Step 3: you are redirected to a Logic App creation page. Enter your name of the new Logic App playbook, select subscription and resource group.
Step 4: once the new Logic App is created, you are directed to Logic App Designer page. From this page, click Blank Logic App.
Step 5: Enter Azure Sentinel in search box. Click When a response to an Azure Sentinel alert is triggered (preview) trigger.
Step 6: click New step. Now you can decide which email service you want to send from. There are bunch of email services available in Azure Logic App. In this article, my purpose is to use my personal gmail email to notify Azure Sentinel incident to another personal Outlook.com. Enter Gmail in the search box and click it. Look for Send an email trigger.
[Updated 08/12/2021] Gmail connector has been updated to comply with data security policy. You can follow steps described here https://docs.microsoft.com/en-us/azure/connectors/connectors-google-data-security-privacy-policy#steps-for-affected-logic-apps to set up an authorized connection.
Step 7: you are asked to sign in to use Gmail service. Click Sign in button and sign into your Gmail. Once you sign into Gmail successfully you can see “Connected to <gmail>”. In To field, enter the email you want to receive notification from your gmail.
Step 8: click Add new parameter to add more parameters that an email needs such as subject, email body. From drop-down list, select Subject and Body. You can select CC, BCC if you’d like.
Step 8: in Subject field, enter the subject title of the email. Azure Logic App allows you to build a dynamic content. In this example, we would like to tell the recipient that the email comes from Azure Sentinel as well as its alert display name and time generated. Click Add dynamic content and select Alert display name and Time generated (UTC) field from the list.
Step 9: in Body field, you can customize email body with HTML. Below is the sample email:
<p>Hello AzSec,</p> <p>You have an incident from Azure Sentinel. Below is information:</p> <ul> <li><strong>Alert Name: </strong>az</li> <li><strong>Description</strong>: az</li> <li><strong>Severity</strong>: az</li> <li><strong>Resource Group</strong>: az</li> <li><strong>Start Time</strong>: az</li> <li><strong>End Time</strong>: az</li> </ul> <p>Please review and let us know whether this incident is false positive.</p> <p>AzSec Team</p>
Copy the HTML code above and paste to Body field. Replace all ‘az‘ by a dynamic content.
Step 10: everything looks good now. Click Save to save this playbook. After that, click Run.
Step 11: If you don’t want to wait for a new incident you can manually trigger your playbook. Go to Azure Sentinel incident page, select an existing incident and click View full details.
Step 12: There is a View playbook link. Click it.
Step 13: you will notice there is a runbook you created. Select it and click Run.
Step 14: go check your email.
The reason you do need email notification is that currently Azure Sentinel doesn’t support. In the case of Azure Security Center integration, you can only receive an email if the severity is High so you would miss Medium and Low severity alert and incidents.
You can do a lot more with Azure Logic App. This article just helps you get started with Azure Sentinel automation. There will be a lot more use cases that don’t only need an email notification but other actions to respond to an incident. Stay tuned and subscribe AzSec blog!
If you want to parse ExtendedProperties to extract piece of helpful information before sending email, read this article: Parse ExtendedProperty in Azure Sentinel alert for Logic App use