AS-Incident-Response-Approval-Email

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook is intended to be run from a Microsoft Sentinel incident. It will facilitate incident response by sending an approval email to the manager(s) of the user(s) associated with the incident.

Attribute	Value
Type	Playbook
Solution	Standalone Content
Source	View on GitHub

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	3
`keyvault`	Managed	1	1
`office365`	Managed	1	0
`http`	Built-in	0	1

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_Accounts	post	`/entities/account`	—
Update_incident_-_Close_as_benign_positive	put	`/Incidents`	—
Add_comment_to_incident_(V3)_-_Indicate_true_positive	post	`/Incidents/Comment`	—

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_Secret	get	`[concat('/secrets/@{encodeURIComponent(''', parameters('SecretName'), ''')}/value')]`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_-_Get_User_Manager	GET	`https://graph.microsoft.com/v1.0/users/@{items('For_each_-_User_account')?['AadUserId']}/manager`	—

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks

AS-Incident-Response-Approval-Email

Logic App Connectors

azuresentinel (Managed)

keyvault (Managed)

http (Built-in)

`azuresentinel` (Managed)

`keyvault` (Managed)

`http` (Built-in)