Incident Trigger Entity Analyzer
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook is triggered by Microsoft Sentinel incidents and performs automated investigation and enrichment of URL and User entities associated with the incident. It includes intelligent user identifier detection supporting objectGuid, aadUserId, UPN, and Name+UPNSuffix combinations.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SentinelSOARessentials |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 5 |
sentinelmcp |
Managed | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_URLs | post | /entities/url |
— |
| Add_Url_comment_to_incident | post | /Incidents/Comment |
— |
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Add_User_comment_to_incident | post | /Incidents/Comment |
— |
| Add_Skip_comment_to_incident | post | /Incidents/Comment |
— |
sentinelmcp (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| URL_Analyzer | post | /aiprimitives/analysis |
— |
| User_Analyzer | post | /aiprimitives/analysis |
— |
Additional Documentation
Multi-Entity Analyzer - Microsoft Sentinel Playbook
Activating the 'Deploy' button initiates the deployment of an Azure Logic App integrated with Microsoft Sentinel MCP Actions, utilizing a Microsoft Sentinel incident trigger. The Logic App is configured to run when a new incident is created in Sentinel. This Logic App automatically analyzes all URL and User entities within the incident and provides detailed security insights including classification, analysis results, and recommendations for each entity type.
The playbook automatically triggers when:
- A new incident is created in Microsoft Sentinel
- The incident contains URL entities that need security analysis
- The incident contains User/Account entities that require behavioral analysis
- Security analysts need comprehensive automated analysis of multiple entity types
After the analysis is complete, the MCP Entity Analyzer conducts a comprehensive investigation of each entity type and automatically adds detailed comments to the incident with:
- URL Analysis: Security classification, threat intelligence, and URL reputation analysis
- User Analysis: Behavioral analysis, risk assessment, and user activity patterns
- Classification: Security classification for each entity
- Analysis Results: Detailed security analysis findings for each entity
- Recommendations: Security recommendations based on the analysis
- Disclaimer: AI-generated analysis disclaimer
Prerequisites
Prior to beginning the installation process, it's crucial to confirm that you have met the following prerequisites:
- The user deploying this Logic App needs to have a Contributor Role
- The user has permissions to access Microsoft Sentinel workspace
- The SentinelMCP connector is available in your environment
- The Logic App will automatically use the workspace ID from the incident trigger
Parameters
During deployment, you'll need to provide:
- PlaybookName: Name for the Logic App (default: "Entity-Analyzer-Incident-Trigger")
- lookBackDays: Number of days to look back for entity analysis (default: 60 days)
Deployment
To deploy the Multi-Entity Analyzer Logic App:
- Press on the Deploy button below
- Select your subscription and resource group (use the same tenant where Microsoft Sentinel is configured)
- Configure the lookBackDays parameter if needed (default is 60 days)
- The workspace ID will be automatically retrieved from the incident
Post Deployment
After successful deployment:
- The Logic App will be automatically enabled and ready to use
- Authenticate the connections: Go to the Logic App → API connections and authenticate:
- Microsoft Sentinel connection: Authenticate with a user that has Sentinel permissions
- SentinelMCP connection: Authenticate with Microsoft Sentinel MCP permissions
- The playbook will automatically trigger when new incidents are created
- Manual execution: You can also run this playbook manually from the incident page
- Automation Rule: Consider creating an automation rule to run this playbook automatically on specific incident types
How It Works
- Trigger: The Logic App triggers when a new incident is created in Microsoft Sentinel
- Entity Extraction: The playbook extracts all URL and User entities from the incident
- Parallel Analysis:
- URLs: Each URL is analyzed for security threats, reputation, and classification
- Users: Each user account is analyzed for behavioral patterns and risk assessment
- Processing: The analysis results are formatted with emojis and proper formatting
- Output: Separate detailed comments are added to the incident for each analyzed entity:
- One comment per URL entity analyzed
- One comment per User entity analyzed
Sample Output
The playbook generates formatted comments in the incident for each entity type:
URL Analysis Output:
🔗 URL Analysis for: https://example.com
*[Content truncated...]*
---
**Browse:** [🏠](../README.md) · [Solutions](../solutions-index.md) · [Connectors](../connectors-index.md) · [Methods](../methods-index.md) · [Tables](../tables-index.md) · [Content](../content/content-index.md) · [Parsers](../parsers/parsers-index.md) · [ASIM Parsers](../asim/asim-index.md) · [ASIM Products](../asim/asim-products-index.md) · [Logic Apps](../logic-apps/logic-apps-index.md) · [📊](../statistics.md)
↑ [Back to Playbooks](playbooks.md) · [Back to SentinelSOARessentials](../solutions/sentinelsoaressentials.md)