cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating a playbook with actionable message for end users

MikeP751860
Brass Contributor

‎Nov 06 2023 05:12 AM

‎Nov 06 2023 05:12 AM

Creating a playbook with actionable message for end users

Hi,

 

Has anyone tried to create a playbook in Sentinel with workflow to send an actionable message to the end user to get them to confirm if they completed an action which triggered an alert/incident? We would like to see if we can reduce the SIEM events to our service desk by asking the end user to confirm actions undertaken. 

 

If they do not reply within 1 hour or if they reply as No then the incident will be raised. The nice thing about actionable message is the requirement for the end-user to authenticate plus we can add MFA validate it is the user and not someone else.

 

Regards

 

Mike

Labels:
586 Views
0 Likes
4 Replies
Reply
4 Replies
Clive_Watson

‎Nov 06 2023 07:07 AM

‎Nov 06 2023 07:07 AM

Re: Creating a playbook with actionable message for end users

I've seen it done - for Impossible Travel if I remember correctly. They also considered looking up the Manager in Entra ID (AAD) and informing them as a parallel check, also they excluded High priority events. e.g. was the manager aware they were traveling / on vacation etc...
You'll also probably need some anomaly detection to see if you see high closure rates or spikes per user or alert, and to track these, maybe in a Workbook or better still a daily report/secondary Alert.
1 Like
Reply
MikeP751860

‎Nov 06 2023 07:24 AM

‎Nov 06 2023 07:24 AM

Re: Creating a playbook with actionable message for end users

Hi Clive, have you seen any examples in Github for the Azure web service required to manage the process?
0 Likes
Reply
Clive_Watson

‎Nov 06 2023 07:41 AM

‎Nov 06 2023 07:41 AM

Re: Creating a playbook with actionable message for end users

@MikeP751860 

 

The one I saw was all done from within the Playbook using a condition check - one example

1. If Alert fires - "send email to user" + lookup and "email manager", else "do nothing" (I think they actually wrote the state to a Teams channel at the time, plus "updated" the Incident.

2. Then the task waits for the user / manager to respond

I dont recall if they had your "wait 1 hr" accounted for.  It was at least 3years ago!   

Good luck with this, I suspect most users wont reply within the time window you set, without some training or penalty 

0 Likes
Reply
MikeP751860

‎Nov 06 2023 07:42 AM

‎Nov 06 2023 07:42 AM

Re: Creating a playbook with actionable message for end users

Thanks Clive.
0 Likes
Reply