There could be several reasons why sending an email directly from Azure Sentinel when a new incident is created is not available as a built-in functionality. Here are a few possible reasons:
Flexibility and customization: By requiring users to utilize logic apps and playbooks, Azure Sentinel allows for greater flexibility and customization in the actions triggered by an incident. This approach enables users to define specific workflows, integrate with various systems, and apply additional logic or conditions before sending an email. It provides a more comprehensive solution beyond just email notifications.
Integration with existing systems: Azure Sentinel is designed to integrate with a wide range of tools and systems, not just email. By using logic apps or playbooks, users can connect Sentinel with different services, platforms, or ticketing systems to create a more integrated and streamlined incident management process.
Scalability and automation: Logic apps and playbooks enable automation and scalability. Instead of relying on manual email notifications, using these tools allows for the creation of dynamic workflows that can handle multiple incidents simultaneously, apply advanced filtering or decision-making logic, and send notifications to different recipients based on specific conditions.
While it may seem like an additional step to set up logic apps or playbooks for email notifications, it provides a more robust and flexible solution that can be tailored to meet specific organizational requirements and integrate seamlessly with existing processes.