Lookout-SmishingAlert-UserNotify

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

When a critical or high severity smishing or phishing incident is created in Microsoft Sentinel by Lookout, this playbook enriches the incident with a comment documenting the phishing campaign context, attack intelligence, and recommended analyst next steps.

Attribute	Value
Type	Playbook
Solution	Lookout
Source	View on GitHub

Logic App Connectors

This playbook uses 1 Logic App connector / built-in action:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	2

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_Accounts	post	`/entities/account`	—
Add_incident_comment	post	`/Incidents/Comment`	—

Additional Documentation

📄 Source: Lookout-SmishingAlert-UserNotify/readme.md

Overview

This playbook triggers automatically when Microsoft Sentinel creates an incident from the Lookout - Critical Smishing and Phishing Alerts (v2) analytic rule. Speed is critical for smishing — the device owner must be warned before they act on the malicious message. The playbook performs three automated actions:

SOC Notification — Posts an urgent Teams message to the SOC channel with full phishing context: alert type, threat category, impersonation risk, campaign indicators, risk score, and a direct link to the Sentinel incident.
User Warning Email — Sends an urgent HTML email to the targeted device owner instructing them not to click suspicious links, not to enter credentials on sites reached via SMS, to forward suspicious messages to IT Security, and to contact IT immediately if they have already clicked a link.
Incident Enrichment — Adds a structured comment with attack intelligence, campaign context, and recommended next steps including credential reset procedures if a link was clicked.

Analytic Rules Supported

Rule	Severity
Lookout - Critical Smishing and Phishing Alerts (v2)	High

Prerequisites

A Microsoft Teams team and channel configured for SOC security alerts.
A Microsoft 365 / Office 365 account authorized to send email.
The playbook managed identity must be granted the Microsoft Sentinel Responder role on the Log Analytics workspace.

Deployment

Deployment Parameters

Parameter	Required	Description
PlaybookName	No	Name of the Logic App (default: `Lookout-SmishingAlert-UserNotify`)
TeamsGroupId	Yes	Microsoft Teams Group (Team) ID for SOC notifications
TeamsChannelId	Yes	Microsoft Teams Channel ID for SOC notifications

Finding your Teams IDs: In Microsoft Teams, right-click the channel → Get link to channel. The URL contains both groupId and the channel ID.

Post-Deployment Configuration

Step 1 — Authorize API Connections

After deployment, navigate to the resource group in the Azure portal and authorize the API connections:

Open the teams-Lookout-SmishingAlert-UserNotify connection → Edit API connection → Authorize → Save.
Open the office365-Lookout-SmishingAlert-UserNotify connection → Edit API connection → Authorize → Save.

Step 2 — Assign Sentinel Responder Role

Navigate to your Microsoft Sentinel workspace → Settings → Workspace settings.
Select Access control (IAM) → Add role assignment.
Role: Microsoft Sentinel Responder.
Assign to: the Logic App's managed identity (Lookout-SmishingAlert-UserNotify).

Step 3 — Create Automation Rule

In Microsoft Sentinel, go to Automation → + Create → Automation rule.
Configure:
- Trigger: When incident is created
- Conditions: Analytics rule name — Contains — Lookout - Critical Smishing and Phishing
- Actions: Run playbook → Lookout-SmishingAlert-UserNotify
Save the automation rule.

Permissions Summary

Connection	Auth Method	Permission Required
Microsoft Sentinel	Managed Identity	Microsoft Sentinel Responder
Microsoft Teams	User Account	Channel Post Messages
Office 365	User Account	Send Email