Send incident email with XDR Portal links
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook will send an email with incident and entity information with all links pointing to the security.microsoft.com portal
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SentinelSOARessentials |
| Source | View on GitHub |
Additional Documentation
📄 Source: Send-Incident-Email-XDRPortal/readme.md
Send-Incident-Email-XDRPortal
author: Brian Delaney
Summary
This playbook sends an email with an incident report including alert details and entity information. Incident and entity links go to the security.microsoft.com portal. Sentinel must be connected to the XDR portal for this to work on all incidents.
Prerequisites
- A Microsoft 365 (M365) account to send email notifications (the user account will be used in the O365 connector for sending emails).
- Sentinel must be connected to the XDR Portal
Deployment instructions
- To deploy the playbook, click the Deploy to Azure button below. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name
- Microsoft Graph Endpoint (https://graph.microsoft.com)
- Denfeder Portal Endpoint (https://security.microsoft.com)
- SOC Phone Number
- SOC Email Address
- Notification Email Address
Post-deployment Instructions
Authorize connections
Once deployment is complete, authorize the connection.
- Open the Logic App in the Azure portal.
- Click Connections
- Expand Office 365 Outlook
- Click the link to Open Connection, or reassign a new one
- Sign in with the account to be used for sending email
- Click Save.
Grant Permissions
- Locate and note the Logic App managed identity id (Logic App -> Settings -> Identity)
- Locate a note the Entra ID Tenant ID (Entra ID -> Tenant ID)
- Update the PowerShell Script below with the IDs from above
- Run the PowerShell script to grant API Permissions. This can be run locally or from Cloud Shell
$MIGuid = "<LogicAppManagedIdentityId>"
$TenantId = "<TenantId>"
Connect-MgGraph -TenantId $TenantId -Scopes AppRoleAssignment.ReadWrite.All, Application.Read.All -NoWelcome -ErrorAction Stop
$MSI = Get-MgServicePrincipal -ServicePrincipalId $MIGuid
$AppId = "00000003-0000-0000-c000-000000000000"
$permissions = @("SecurityAlert.Read.All", "SecurityIncident.Read.All")
$GraphServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$AppId'"
foreach ($PermissionName in $permissions) {
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MSI.Id -PrincipalId $MSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id
}
Write-Host "Assigned permissions to Managed Identity Service Principal."
b. Attach the playbook
- In Microsoft Sentinel, configure an automation rule to trigger this playbook when an incident is created. - Learn more about automation rules
Screenshots
Playbook
Email
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊