Listen to this Post
Introduction:
Security Operations Center (SOC) analysts often face the challenge of receiving timely notifications when critical incidents are detected. Microsoft Sentinel, a cloud-1ative SIEM, does not natively support email notifications for incident creation. However, by leveraging Azure Logic Apps as automated playbooks, security teams can bridge this gap efficiently. This article explores a production-ready, open-source solution that deploys an HTML-formatted email alert system for Sentinel incidents using an ARM template, requiring minimal technical overhead.
Learning Objectives:
- Deploy a fully functional Microsoft Sentinel email notification playbook using an ARM template in under 10 minutes.
- Understand how to configure automation rules to scope incident-triggered notifications by severity, title, or other criteria.
- Learn post-deployment steps including managed identity configuration, Office 365 connection authorization, and role assignments.
- Explore an additional playbook for nagging unowned incidents via Teams adaptive cards to enforce SOC accountability.
You Should Know:
1. Understanding the Incident-Send-Email Playbook Architecture
The Incident-Send-Email playbook, part of the ITProfessorCloud Logic Apps collection, is a Microsoft Sentinel Logic App that fires an HTML-formatted email notification every time a new incident is created. It triggers on the Sentinel incident-creation webhook, composes a clean HTML email containing the incident title, severity, status, creation time, description, and a direct link to the Sentinel portal, and sends it via Office 365. Crucially, it uses a System Assigned Managed Identity for the Sentinel connection, eliminating the need for manual credential management. The ARM template deploys three resources: the Logic App workflow itself (Microsoft.Logic/workflows), a Microsoft Sentinel API connection, and an Office 365 connection.
Step-by-Step Deployment Guide:
- Access the ARM Template: Navigate to the ITProfessorCloud/LogicApps GitHub repository and locate the `Incident-Send-Email` folder.
- Deploy from Custom Template: In the Azure portal, search for “Deploy a custom template” and select “Build your own template in the editor”.
- Paste the ARM JSON: Copy the contents of `azuredeploy.json` from the repository into the template editor.
- Specify Parameters: Provide a `PlaybookName` (default:
Incident_Send_Email) and the required `NotificationEmail` address to receive alerts. - Review and Create: Click “Review + create” and then “Create” to deploy the resources.
- Authorize the Office 365 Connection: After deployment, locate the Office 365 API connection in the Azure portal and authorize it with a valid account.
- Enable the Logic App: The playbook deploys in a disabled state; enable it once the Office 365 connection is authorized.
- Grant Log Analytics Reader Role: Assign the Logic App’s managed identity the Log Analytics Reader role on the Log Analytics Workspace to allow it to read incident data.
- Attach to an Automation Rule: In Microsoft Sentinel, go to Automation > Create > Automation rule. Set the trigger to When incident is created, add an action to Run playbook, and select this playbook.
- Scope the Rule: Optionally, add conditions to scope the rule by severity (e.g., High or Medium) or incident title to avoid alert fatigue.
-
The Nag Machine: Enforcing Incident Ownership via Teams
Beyond email alerts, the repository includes a second playbook called Sentinel-1ag-Machine designed to address unowned incidents. This playbook runs on a recurring 15-minute schedule, queries Log Analytics for Sentinel incidents in New status with no owner that are older than 30 minutes. It sends Teams adaptive cards to a designated SOC channel: a friendly nudge for incidents under 1 hour old, and an escalated urgent card for incidents 2 or more hours old. Analysts can respond directly in Teams to Take Ownership or Dismiss the incident, which automatically assigns the incident to the responder and sets its status to Active via the Microsoft Sentinel API. This enforces accountability and reduces mean time to acknowledge (MTTA).
Step-by-Step Nag Machine Configuration:
- Deploy the `Sentinel-1ag-Machine` ARM template from the same repository.
- Authorize the Teams Connection: Open the Teams API connection in the portal and authorize it with an account that has access to your SOC Teams channel.
- Configure Azure Monitor Logs Connection: Authorize it and point it at your Log Analytics Workspace.
- Set Teams Channel: Update the `groupId` and `channelId` values in both adaptive card actions to target your specific SOC channel.
- Grant Microsoft Sentinel Responder Role: Assign the Logic App’s managed identity the Microsoft Sentinel Responder role on your Sentinel workspace so it can update incidents.
- Enable the Logic App: Enable it once all connections are authorized.
3. KQL Detection Engineering and Incident Automation Synergy
Effective incident response begins with robust detection. Kusto Query Language (KQL) is the foundation of Microsoft Sentinel’s analytics rules, enabling security teams to hunt for threats and create high-fidelity alerts. When a KQL-based analytics rule generates an alert and groups it into an incident, automation rules can trigger playbooks like Incident-Send-Email. This synergy between detection engineering and SOAR (Security Orchestration, Automation, and Response) ensures that critical incidents are not only detected but also immediately communicated to the right stakeholders. For example, a KQL query detecting multiple failed logins followed by a successful login from an anomalous location can trigger an incident that automatically emails the SOC lead.
- Managing Logic Apps with Azure CLI and PowerShell
While the ARM template provides a click-to-deploy experience, advanced users may prefer command-line deployment. Below are verified commands for deploying and managing these playbooks:
Azure CLI Deployment:
Deploy the Incident-Send-Email playbook az deployment group create --resource-group <YourResourceGroup> \ --template-file azuredeploy.json \ --parameters PlaybookName=Incident_Send_Email [email protected]
PowerShell Deployment:
New-AzResourceGroupDeployment -ResourceGroupName <YourResourceGroup> ` -TemplateFile azuredeploy.json ` -PlaybookName "Incident_Send_Email" ` -1otificationEmail "[email protected]"
Listing Logic Apps via Azure CLI:
az logic workflow list --resource-group <YourResourceGroup> --output table
Enabling a Disabled Logic App:
az logic workflow enable --1ame Incident_Send_Email --resource-group <YourResourceGroup>
5. Security Hardening and Best Practices
When deploying automated playbooks, security considerations are paramount. The Incident-Send-Email playbook uses System Assigned Managed Identity, which is a best practice for avoiding hard-coded credentials. Additionally, ensure that the Logic App’s managed identity has the least privilege necessary—only Log Analytics Reader and Microsoft Sentinel Responder roles are required. For the Office 365 connection, use a dedicated service account with minimal mailbox permissions. To prevent alert storms, scope automation rules with conditions such as `Severity equals Highor contains “Critical”`. Regularly audit Logic App run history and set up failure alerts to monitor the health of your automation.
6. Troubleshooting Common Issues
- Office 365 Connection Not Authorized: The Logic App will fail if the Office 365 connection is not authorized. Navigate to the API connection resource in Azure and complete the authorization flow.
- Managed Identity Permissions Missing: Ensure the Logic App’s managed identity has the Log Analytics Reader role on the workspace and Microsoft Sentinel Responder on the Sentinel workspace. Use Azure RBAC to verify assignments.
- Automation Rule Not Triggering: Confirm that the automation rule is set to trigger on When incident is created and that the playbook is selected and enabled.
- Email Not Received: Check the Logic App run history for failures. Verify that the email address is correct and that the Office 365 connector has send permissions.
- Expanding Automation: From Email to Full SOAR Workflows
The Incident-Send-Email playbook is just one example of how Logic Apps can extend Sentinel’s capabilities. Organizations can build similar playbooks to:
– Post incident details to Microsoft Teams or Slack.
– Create tickets in ITSM systems like ServiceNow.
– Isolate compromised VMs or disable Entra ID accounts.
– Enrich incidents with threat intelligence data from external sources.
The ITProfessorCloud repository also includes a Self-Updating Watchlist automation that uses Logic Apps and Graph API to keep Sentinel watchlists current. These patterns demonstrate how low-code automation can significantly enhance SOC efficiency.
What Undercode Say:
- Key Takeaway 1: The Incident-Send-Email playbook eliminates the need for custom scripting by providing a pre-built, ARM-template-driven solution that integrates seamlessly with Microsoft Sentinel’s automation rules.
- Key Takeaway 2: Combining email alerts with the Nag Machine playbook creates a comprehensive notification ecosystem—email for immediate awareness and Teams for collaborative incident ownership and escalation.
Analysis: This approach democratizes SOAR capabilities, allowing organizations of all sizes to implement professional-grade incident notifications without deep development resources. The use of managed identities and ARM templates aligns with Azure security best practices, reducing the operational overhead of credential rotation and manual configuration. However, teams must still invest in proper scoping of automation rules to avoid alert fatigue and ensure that playbooks are monitored for failures. The Nag Machine, in particular, addresses a common SOC pain point—unowned incidents—by using adaptive cards to drive action directly from the collaboration tool where analysts already work. This represents a shift towards “chatops” in security operations, reducing context switching and accelerating response times.
Prediction:
- +1 The adoption of pre-built ARM template playbooks will accelerate as Microsoft Sentinel continues to grow, with community-driven repositories like ITProfessorCloud becoming essential resources for SOC teams seeking to automate without extensive coding.
- +1 Integration of AI-powered recommendations within Logic Apps will enable dynamic playbook adjustments based on incident patterns, further reducing manual tuning efforts.
- -1 Organizations that deploy these playbooks without proper scoping and monitoring may experience alert fatigue or missed incidents if automation rules are misconfigured, emphasizing the need for ongoing governance.
- +1 The trend towards “no-code” and “low-code” SOAR will lower the barrier to entry for security automation, empowering smaller teams to compete with larger enterprises in incident response maturity.
- -1 As playbooks become more complex, managing dependencies between multiple automations (email, Teams, ticketing) will require robust orchestration frameworks to prevent race conditions and ensure consistent state management.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Bartosz Wysocki – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
