How to use the currently logged in user as variable in Sentinel Azure Logic App

Pierre-9593 0 Reputation points
2023-02-09T07:16:23.85+00:00

I have a runbook called "Sentinel-Assign-and-Activate" which assigns the Sentinel incident to a hard-coded UPN and changes the incident status to "Active".

How can I make this more dynamic and usable by team-members by dynamically setting the assignee UPN to the user that is executing the runbook?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
990 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,461 Reputation points Microsoft Employee
    2023-02-22T19:30:44.3633333+00:00

    @Pierre-9593

    Thank you for your time and patience on this!

    I received a response from our Sentinel team and getting the UPN of the user(s) who triggered the logic app from Microsoft Sentinel isn't possible. However, one option you can do is enable Sentinel Health for Automation which will write logs to the SentinelHealth table, and from there you can use Azure Monitor Logs to query the table (after the table updates), in order to get the user info needed.

    Since the feature you're looking for isn't directly possible within the Playbook/Logic App, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.

    I've also created an internal feature request, so our engineering team is aware of this as well.

    Findings:

    Within my own environment, I did some testing and will share my findings below. As you mentioned - a Sentinel user could just manually assign an incident to themselves pretty easily, and you'd like to package multiple actions into a single logic app to improve efficiency when handling incidents.

    Taking what you mentioned into consideration, you can still have users manually assign an Incident to themselves and run your Playbook (Logic App) - since the UI makes it seamless for Sentinel Users. However, within your Logic App you can update the Incident as needed to meet your organization's needs.User's image

    Playbook:

    After the Sentinel User Assigns the Incident to themselves and Runs the Playbook, your Playbook can:

    • Get the Incident Information via the Microsoft Sentinel Incident Trigger
    • Update the Incident using the data from the Microsoft Sentinel Incident Trigger
    • Add a Comment with the relevant info needed.User's image

    Optionally, you can expand on your Playbook by initializing variables or parsing the JSON output from the Microsoft Sentinel Incident Trigger.

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.