Nov 06 2023 05:12 AM
Hi,
Has anyone tried to create a playbook in Sentinel with workflow to send an actionable message to the end user to get them to confirm if they completed an action which triggered an alert/incident? We would like to see if we can reduce the SIEM events to our service desk by asking the end user to confirm actions undertaken.
If they do not reply within 1 hour or if they reply as No then the incident will be raised. The nice thing about actionable message is the requirement for the end-user to authenticate plus we can add MFA validate it is the user and not someone else.
Regards
Mike
Nov 06 2023 07:07 AM
Nov 06 2023 07:24 AM
Nov 06 2023 07:41 AM
The one I saw was all done from within the Playbook using a condition check - one example
1. If Alert fires - "send email to user" + lookup and "email manager", else "do nothing" (I think they actually wrote the state to a Teams channel at the time, plus "updated" the Incident.
2. Then the task waits for the user / manager to respond
I dont recall if they had your "wait 1 hr" accounted for. It was at least 3years ago!
Good luck with this, I suspect most users wont reply within the time window you set, without some training or penalty