Create Incident From Microsoft Forms Response
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will create a new Microsoft Sentinel incident when Microsoft Forms response is submitted.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SentinelSOARessentials |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 1 |
microsoftforms |
Managed | 1 | 1 |
office365 |
Managed | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_incident | put | /Incidents/subscriptions/@{encodeURIComponent(parameters('Subscription'))}/resourceGroups/@{encodeURIComponent(parameters('Resource Group'))}/workspaces/@{encodeURIComponent(parameters('Workspace Name'))} |
— |
microsoftforms (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_response_details | get | /formapi/api/forms('@{encodeURIComponent(parameters('Microsoft Forms ID'))}')/responses |
— |
office365 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_an_email_(V2)_-_success | post | /v2/Mail |
— |
| Send_an_email_(V2)_-_fail | post | /v2/Mail |
— |
Additional Documentation
📄 Source: CreateIncident-MicrosoftForms/readme.md
CreateIncident-MicrosoftForms
author: Benjamin Kovacevic
This playbook will create a new Microsoft Incident when Microsoft Forms response is submitted.
Prerequisites
- Create Microsoft Forms from template - https://forms.office.com/Pages/ShareFormPage.aspx?id=b6PlTP9aoEiHWDhi2Ji_bQ9ohJdYaDxFpei_Nyf2P35UQVBRWk83OUhCUjUyU0pUWkdIV1FMNjFCVC4u&sharetoken=7MfhwUMCnEB9pBTvSX7w
- After the template deployment, save Microsoft Forms ID as it will be needed to deploy the playbook. It is possible to choose Form ID after the playbook is deployed as well using Logic App Designer.
- Configure who can fill the template - the suggestion is either specific people from the organization or the whole organization - https://support.microsoft.com/en-us/topic/choose-who-can-fill-out-a-form-or-quiz-c90c641e-6f88-45c5-9cb9-aca2b4083949
- Prepare Subscription ID, Resource Group name, and Log Analytics Workspace name as it is needed for template deployment.
Quick Deployment
Post-deployment
- Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
- If Microsoft Forms ID wasn't entered while deploying, open Logic App Designer and choose Microsoft Forms from the drop-down menu
- If notification about successful or unsuccessful incident creation is not needed, please delete the "Condition" step
- Authorize Microsoft Forms, Office 365 Outlook connector, and Conversion Service connector (HTML to text). Note: If in step 3, email notification is deleted, there will be no Office 365 Outlook connector.
Note for Microsoft Forms changes
If there are made any changes to the Microsoft Forms template (questions changed or translated to the local language), there is a need to adjust the playbooks template by mapping correct values in Logic App Designer:
When editing, important information is that certain fields accept only certain values:
- Severity - Informational/Low/Medium/High
- Status - New/Active/Closed
- Owner Object Id / UPN - only Azure AD object ID or user's UPN
- Assign/Unassign Owner - Assign/Unassign
Screenshots
Playbook
Microsoft Forms template
Microsoft Sentinel Incident
Email notification
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊