Azure Sentinel: Sending an Email Each Morning with the List of Daily Incidents Created

Overnight you may have noticed that our new SecurityIncident table was finally released out of preview. The data contained in this new table is part of a huge ask by customers. It gives Azure Sentinel analysts the ability to query against Security Incident data and generate Workbooks and reports based off the data.

I’ve been using this table for a while and have found the data extremely useful. One of the more valuable abilities this has given me has been to generate a daily email that shows up in my inbox around 7am each morning that includes the list of Incidents created since last checked.

The email includes time the incident was created, the title, description, severity, and URL that links directly to the incident. This is a huge timesaver for those security teams that need to get a quick handle on the daily workload first thing each morning.

Daily New Incidents Email

The email is generated using a Logic App. The Logic App is NOT an Azure Sentinel Playbook because it needs to run on a schedule instead of being based off an Azure Sentinel trigger.

The SecurityIncident table also finally exposes the URL in a much easier manner than how it had to be done before through additional parsing and querying against AzureActivity.

So, here’s what the logic looks like:

Step 1: Recurrence Trigger – set for 7am every day
Step 2: Run query against the Azure Sentinel Log Analytics workspace (query below) and create an HTML table
Step 3: Send the email and include the HTML table created in Step 2

The query looks like the following:

SecurityIncident
| where TimeGenerated > ago(1d) 
| where Status == "Active"
| project TimeGenerated, Title, Description, Severity, IncidentUrl

And, you can always snag the latest version of this query from my GitHub repo: https://github.com/rod-trent/SentinelKQL/blob/master/SecurityIndicentsCreatedinLastDay.txt

I’ll be building this Logic App out to share soon to my GitHub repo.

BTW: Interested in the columns that are available in the new SecurityIncident table? Check them out here: https://github.com/rod-trent/AzureSentinelMisc/blob/master/SecurityIncident_Columns

Authors