Using Microsoft To-do as a Simple Ticketing System for Azure Sentinel

A customer recently wanted me to suggest a very simple, cost-worthy service ticketing system they could use with Azure Sentinel. The following ended up serving the customer’s needs.

Microsoft To-do can be a powerful tool for those that like to separate their schedule items from their task lists. For many Office 365 customers, they may not realize that To-do is part of their subscription and offers the capability to help better manage the daily, weekly, monthly, etc. task list. But they also may not realize that To-do can be used to share tasks with team members and, in doing so, could be utilized as a very simple ticketing system.

In relation to Azure Sentinel, utilizing the Microsoft To-do Logic App connector you can generate “tickets” in Microsoft To-do and provide for a number of common service desk features including:

  • Adding to a schedule
  • Setting a reminder
  • Setting a due date
  • Assigning to another analyst
  • Adding additional information (files, notes, etc.)

I’ve pulled together an example Playbook that does this already that you can use as a template to build and customize your own.

Get the Playbook from GitHub: https://github.com/rod-trent/SentinelPlaybooks/blob/master/ToDoPlaybook

The Playbook creates a Microsoft To-do folder called Azure Sentinel Incidents and as shown in the image above, also provides the Incident details. For this version it shows Alert Display Name, Severity, Description, and Issuing Product. That’s enough to

Incidentally, you can opt to pin the specific To-do list to your Windows 10 Start Menu. By doing so, the Live Tile will show you the most current Azure Sentinel Incidents.

Also…make sure to “Share” the Azure Sentinel Incidents To-do list with the team.

P.S. Keep in mind that this is simply a helpdesk style alerting and task assignment system. When you close a task in To-do it will not close the Incident in Azure Sentinel. For smaller customers that don’t have a number of resources (a large security team) to perform daily management of Incidents and Threat Hunting, a notification system like this will allow them to be notified when important things occur and ensure securing the environment doesn’t fall through the cracks.

Authors