Cohesity Incident Email
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook sends an email to the recipient with the details related to the incidents.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CohesitySecurity |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 0 |
outlook |
Managed | 1 | 1 |
Action parameters (URLs, paths, function IDs)
outlook (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_email_(V2) | post | /v2/Mail |
— |
Additional Documentation
📄 Source: Cohesity_Send_Incident_Email/readme.md
Summary
This playbook sends an email to the recipient with the incident details..
Prerequisites
- Create a distribution list (email) that will be used for sending out incident notifications.
Deployment instructions
- Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Playbook display name.
- Email ID: Email (preferably a distribution list) for sending out incident notifications
Post-Deployment instructions
- Make sure the user that runs the playbook has the role Microsoft Sentinel Playbook Operator assigned. To assign the role,
- Under the Subscriptions tab from the Home page, choose your subscription name.
- Choose the Access Control (IAM) option from the left pane.
- Click on Add > Add Role Assignment and add Microsoft Sentinel Playbook Operator to the user.
- To enable this playbook, you need authorize Outlook connection (details)
- Go to Logic Apps and choose your playbook.
- Choose Development Tools\API Connections.
- Select a connection you'd like to authorize.
- Click on General\Edit API Connection.
- Press the Authorize button.
Alternatively, you can follow these steps to achieve the same goal. This would be especially useful if the previous steps didn’t work for you.
- Go to Logic Apps.
- Click on the playbook and press Edit.
- Choose Send email (V2) block.
- Click on Change Connection.
- Click on the "!" icon to authorize the connection or choose a different, previously authorized, connection.
- Press Save button to save changes in your playbook.
- If it doesn't work, repeat the steps but either choose a different connection or fix possible authorization errors for the chosen one.
Troubleshooting
To change the email address in the playbook:
- In your Microsoft Sentinel workspace, go to the Automation under the Configuration pane.
- Under Active Playbooks, select the playbook and click on Edit.
- On the Logic App Designer page, select Initialize variable 2.
- Under the value section, enter the email address for the incident notifications.
- Click Save. If the playbook fails to execute, go to your playbook Overview pane that has status of all runs. By looking at the details, you can get more ideas on what went wrong.
References
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊