Notify Azure Sentinel alert to your email automatically

Currently there is not any built-in functionality that notifies you via email if there is an incident that is generated in Azure Sentinel. Checking Azure Sentinel every time wouldn’t be an idea while working with email is simply a habit.

In this article, I’d like to share with you a step-by-step guidance on how to set up an Azure Logic App playbook to send incident information to your email.

Perform the following steps to complete the setup:

Step 1: Go to Azure Sentinel > Playbook.

Step 2: click Add Playbook.

Step 3: you are redirected to a Logic App creation page. Enter your name of the new Logic App playbook, select subscription and resource group.

Step 4: once the new Logic App is created, you are directed to Logic App Designer page.  From this page, click Blank Logic App.

Step 5: Enter Azure Sentinel in search box. Click When a response to an Azure Sentinel alert is triggered (preview) trigger.

Step 6: click New step. Now you can decide which email service you want to send from. There are bunch of email services available in Azure Logic App. In this article, my purpose is to use my personal gmail email to notify Azure Sentinel incident to another personal Enter Gmail in the search box and click it. Look for Send an email trigger.

[Updated 08/12/2021] Gmail connector has been updated to comply with data security policy. You can follow steps described here to set up an authorized connection.

Step 7: you are asked to sign in to use Gmail service. Click Sign in button and sign into your Gmail. Once you sign into Gmail successfully you can see “Connected to <gmail>”. In To field, enter the email you want to receive notification from your gmail.

Step 8: click Add new parameter to add more parameters that an email needs such as subject, email body. From drop-down list, select Subject and Body. You can select CC, BCC if you’d like.

Step 8: in Subject field, enter the subject title of the email. Azure Logic App allows you to build a dynamic content. In this example, we would like to tell the recipient that the email comes from Azure Sentinel as well as its alert display name and time generated. Click Add dynamic content and select Alert display name and Time generated (UTC) field from the list.

Step 9: in Body field, you can customize email body with HTML. Below is the sample email:

<p>Hello AzSec,</p>
<p>You have an incident from Azure Sentinel. Below is information:</p>
<li><strong>Alert Name:&nbsp;</strong>az</li>
<li><strong>Description</strong>: az</li>
<li><strong>Severity</strong>: az</li>
<li><strong>Resource Group</strong>: az</li>
<li><strong>Start Time</strong>: az</li>
<li><strong>End Time</strong>: az</li>
<p>Please review and let us know whether this incident is false positive.</p>
<p>AzSec Team</p>

Copy the HTML code above and paste to Body field. Replace all ‘az‘ by a dynamic content.

Step 10: everything looks good now. Click Save to save this playbook. After that, click Run.

Step 11: If you don’t want to wait for a new incident you can manually trigger your playbook. Go to Azure Sentinel incident page, select an existing incident and click View full details.

Step 12: There is a View playbook link. Click it.

Step 13: you will notice there is a runbook you created. Select it and click Run.

Step 14: go check your email.

The reason you do need email notification is that currently Azure Sentinel doesn’t support. In the case of Azure Security Center integration, you can only receive an email if the severity is High so you would miss Medium and Low severity alert and incidents.

You can do a lot more with Azure Logic App. This article just helps you get started with Azure Sentinel automation. There will be a lot more use cases that don’t only need an email notification but other actions to respond to an incident. Stay tuned and subscribe AzSec blog!

If you want to parse ExtendedProperties to extract piece of helpful information before sending email, read this article: Parse ExtendedProperty in Azure Sentinel alert for Logic App use

This entry was posted in Security Automation and tagged , , . Bookmark the permalink.

13 Responses to Notify Azure Sentinel alert to your email automatically

  1. Pingback: Parse ExtendedProperty in Azure Sentinel alert for Logic App use

  2. Pingback: Extract all Azure Sentinel incidents

  3. Sofiane says:

    Thank You !!!!!

  4. zeroxcafebabe says:

    Works like a charm! Thanks a lot!

  5. It seems that the playbook is not triggered automatically by default when a new incident is registered though?

    Do I have to edit each active rule under Analytics and select my new playbook under “Automated response”?

    • Yasemin says:

      Yes, for automatic trigger you need to select the playbook in automated response. As a other way to test your playbook you can trigger it manually by going into ‘view details’ in Sentinel and then ‘playbooks’ and then Run the wanted playbook

  6. Pingback: Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

  7. Luiz says:

    Very good article.

    I’m having some problems, because the option to create when alerts are triggered, is sending email to each alert created, however, the alerts are grouped in the same incident and it is not considered a new open incident.

    Do you have any indication not to send email when the alert is created, but an incident is already open and the alert is grouped for that incident?

    I am getting created creation emails, but they are being grouped together in the same incident, so they are not considered new incidents for dealing with time.

    As the e-mail is sent for ticket management, more than one incident is created, however, no new incidents were created, rather, alerts grouped in the same incident.

    I would be grateful for some kind of help.

  8. Mike says:

    Thanks for this. Any way to get an email alert to pull in UPN or Email?

    • azsec says:

      Hi Mike,

      Could you explain more detail? What exactly field would you like to see in your email?

      Thank you

  9. Abubakr Siddiq says:

    Getting this error while trying to save my LogicApp:

    Failed to save logic app LogicAppAlertAutomation. The operation on workflow ‘LogicAppAlertAutomation’ cannot be completed because it contains connectors to applications ‘azuresentinel’ which are not compatible with the Gmail connector. Please see for more information.

    • azsec says:

      Thanks for your sharing.

      In fact Gmail connector has been updated and they only allow to input service principal to work. I will see if I have time to update the article.

      Thank a lot

  10. Pingback: Trusted and Latest Preparation Microsoft SC-200 Practice Test Material

Leave a Reply

Your email address will not be published.