Thank you for your time and patience on this!
I received a response from our Sentinel team and getting the UPN of the user(s) who triggered the logic app from Microsoft Sentinel isn't possible. However, one option you can do is enable Sentinel Health for Automation which will write logs to the SentinelHealth
table, and from there you can use Azure Monitor Logs to query the table (after the table updates), in order to get the user info needed.
Since the feature you're looking for isn't directly possible within the Playbook/Logic App, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.
I've also created an internal feature request, so our engineering team is aware of this as well.
Findings:
Within my own environment, I did some testing and will share my findings below. As you mentioned - a Sentinel user could just manually assign an incident to themselves pretty easily
, and you'd like to package multiple actions into a single logic app to improve efficiency when handling incidents
.
Taking what you mentioned into consideration, you can still have users manually assign an Incident to themselves and run your Playbook (Logic App) - since the UI makes it seamless for Sentinel Users. However, within your Logic App you can update the Incident as needed to meet your organization's needs.
Playbook:
After the Sentinel User Assigns the Incident to themselves and Runs the Playbook, your Playbook can:
- Get the Incident Information via the Microsoft Sentinel Incident Trigger
- Update the Incident using the data from the Microsoft Sentinel Incident Trigger
- Add a Comment with the relevant info needed.
Optionally, you can expand on your Playbook by initializing variables or parsing the JSON output from the Microsoft Sentinel Incident Trigger.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.