Why is not not easier to send an email when a sentinel incident is created?

Reilly Christopher, B2B-ITL-CRW-WNE-NT2-1 5 Reputation points
2023-05-24T13:38:25.92+00:00

I think my title says it all really, but I don't understand why there isn't an option in Sentinel, like there is in M365 Defender, to send an email when a new incident is created.

It's the most basic thing but you make us go make logic apps and playbooks so we can have that functionality.

I don't think I even really want an answer, just like....add that functionality and email me when it's done

That'd be great

Z

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VasimTamboli 4,410 Reputation points
    2023-05-24T18:27:59.9+00:00

    There could be several reasons why sending an email directly from Azure Sentinel when a new incident is created is not available as a built-in functionality. Here are a few possible reasons:

    Flexibility and customization: By requiring users to utilize logic apps and playbooks, Azure Sentinel allows for greater flexibility and customization in the actions triggered by an incident. This approach enables users to define specific workflows, integrate with various systems, and apply additional logic or conditions before sending an email. It provides a more comprehensive solution beyond just email notifications.

    Integration with existing systems: Azure Sentinel is designed to integrate with a wide range of tools and systems, not just email. By using logic apps or playbooks, users can connect Sentinel with different services, platforms, or ticketing systems to create a more integrated and streamlined incident management process.

    Scalability and automation: Logic apps and playbooks enable automation and scalability. Instead of relying on manual email notifications, using these tools allows for the creation of dynamic workflows that can handle multiple incidents simultaneously, apply advanced filtering or decision-making logic, and send notifications to different recipients based on specific conditions.

    While it may seem like an additional step to set up logic apps or playbooks for email notifications, it provides a more robust and flexible solution that can be tailored to meet specific organizational requirements and integrate seamlessly with existing processes.

    1 person found this answer helpful.
    0 comments
  2. JamesTran-MSFT 36,366 Reputation points Microsoft Employee
    2023-05-31T23:26:30.3933333+00:00

    @Reilly Christopher, B2B-ITL-CRW-WNE-NT2-1

    Thank you for your product feedback!

    I understand that you'd like the notifications when a Sentinel Incident is created, to be more seamless similar to that within Microsoft 365 Defender, rather than having to leverage automation rules and Logic Apps (Playbooks) to send email notifications.

    Since this feature currently isn't available without the use of Playbooks, I've created an internal feature request, so our engineering team is aware of this, and I'd also recommend leveraging our User Voice forum and creating a feature request so the community can vote, comment, and share your idea.

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    1 person found this answer helpful.
    0 comments