Incident Assignment Shifts
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will assign an Incident to an owner based on the Shifts schedule in Microsoft Teams. When an incident is assigned, the incident owner will be notified via email. Incidents are assigned to users based on the following criteria:
*Only users who have started their shifts during the time the Logic App runs will be considered. *Users who still have at least 1 hours left before going off shift (can be configured in playbook) *User with the least incidents assigned on the current Shif
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SentinelSOARessentials |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 5 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuremonitorlogs |
Managed | 1 | 1 |
azuresentinel |
Managed | 1 | 2 |
office365 |
Managed | 1 | 1 |
shifts |
Managed | 1 | 1 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuremonitorlogs (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_query_and_list_results_-Get_user_with_low_assignment | post | /queryData |
— |
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
office365 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_an_email_(V2) | post | /v2/Mail |
— |
shifts (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| List_all_shifts | get | /v1.0/teams/@{encodeURIComponent('')}/schedule/shifts |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP_-_Get_total_incidents_for_user | GET | [uriComponentToString(uri(variables('azure'),'subscriptions/@{triggerBody()?[''workspaceInfo'']?[''SubscriptionId'']}/resourceGroups/@{triggerBody()?[''workspaceInfo'']?[''ResourceGroupName'']}/providers/Microsoft.OperationalInsights/workspaces/@{triggerBody()?[''workspaceInfo'']?[''WorkspaceName'']}/providers/Microsoft.SecurityInsights/Incidents?api-version=2020-01-01&$filter=(properties/owner/objectId eq ''@{items(''For_each_Shifts_list'')?[''userId'']}'' and properties/createdTimeUtc ge @{items(''For_each_Shifts_list'')?[''sharedShift'']?[''startDateTime'']})&$top=1000'))] |
— |
Additional Documentation
📄 Source: Incident-Assignment-Shifts/readme.md
Incident-Assignment-Shifts
author: Jeremy Tan
version: 2.2
This playbook will assign an Incident to an owner based on the Shifts schedule in Microsoft Teams.
Pre-requisites:
Ensure you have the following details:
1. User account or Service Principal or Managed Identity with Microsoft Sentinel Responder role
Create or use an existing user account/ Service Principal/ Managed Identity with Microsoft Sentinel Responder role.
This will be used in Microsoft Sentinel connectors (Incident Trigger, Update incident & Add comment to incident) and a HTTP connector.
This example will walk you through using System Managed Identity for the above connectors.
2. Setup Shifts schedule
You must have the Shifts schedule setup in Microsoft Teams.
The Shifts schedule must be published (Share with team).
3. User account with Owner role in Microsoft Teams
Create or use an existing user account or managed identity with Owner role in a Team.
The user account will be used in Shifts connector (List all shifts).
4. User account or Service Principal with Log Analytics Reader role
Create or use an existing user account or Service Principal with Log Analytics Reader role on the Microsoft Sentinel workspace.
The user account or Service Principal will be used in Azure Monitor Logs connector (Run query and list results).
5. An O365 account to be used to send email notification
- The user account will be used in O365 connector (Send an email).
Post Deployment Configuration:
1. Enable Managed Identity and configure role assignment
Once deployed, go to the Logic App's blade and click on Identity under Settings.
Select On under the System assigned tab. Click Save and select Yes when prompted.
Click on Azure role assignments to assign role to the Managed Identity.
- Click on + Add role assignment.
- Select Resource group under Scope and select the Subscription and Resource group where the Microsoft Sentinel Workspace is located. Select Microsoft Sentinel Responder under Role and click Save.
2. Configure connections
- Edit the Logic App or go to Logic app designer.
- Expand each step to find the following connectors (6 in total) with
.- Incident Trigger
- Update Incident
- Add comment to incident
- List all shifts
- Run query and list results
- Send an email
- Fix these connectors by adding a new connection to each connector and sign in with the accounts described under pre-requisites.
3. Select the Shifts schedule
Edit the Logic App or go to Logic app designer.
Find the List all shifts connector, click on the X sign next to Team field for the drop-down list to appear.
Select the Teams channel with your Shifts schedule from the drop-down list.
Save the Logic App once you have completed the above steps.
Incident Assignment Logic:
Incidents are assigned to users based on the following criteria:
- Only users who have started their shifts during the time the Logic App runs will be considered.
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊