Forum Discussion

afiore1130's avatar
afiore1130
Copper Contributor
Jun 27, 2024

How to Include Custom Details from an Alert in Email Generated by a Playbook

I have created an analytics rule that queries Sentinel for security events pertaining to group membership additions, and triggers an alert for each event found. The rule does not create an incident. Within the rule logic, I have created three "custom details" for specific fields within the event (TargetAccount, MemberName, SubjectAccount). I have also created a corresponding playbook for the purpose of sending an email to me when an alert is triggered. The associated automation rule has been configured and is triggered in the analytics rule. All of this is working as expected - when a member is added to a security group, I receive an email.

 

The one remaining piece is to populate the email message with the custom details that I've identified in the rule. However, I'm not sure how to do this. Essentially, I would like the values of the three custom details shown in the first screenshot below to show up in the body of the email, shown in the second screenshot, next to their corresponding names.

 

 

So, for example, say Joe Smith is added to the group "Admin" by Tom Jones. These are the fields and values in the event that I want to pull out.

  • TargetAccount = Admin
  • MemberName = Joe Smith
  • Subject Account = Tom Jones

The custom details would then be populated as such:

  • Security_Group = Admin
  • Member_Added = Joe Smith
  • Added_By = Tom Jones

and then, the body of the email would contain:

  • Group: Admin
  • Member Added: Joe Smith
  • Added By: Tom Jones
Analytics
Automation
Playbooks
  • DGMalcolm's avatar
    DGMalcolm
    Iron Contributor
    Aug 29, 2024
    Did you ever figure out how to pull this information into the email?
    ~dgm~
    • afiore1130's avatar
      afiore1130
      Copper Contributor
      Sep 18, 2024

      DGMalcolm 

      Yes, I was able to get it working. Essentially, the missing piece was taking the custom details collected in the analytics rule (that are in JSON) and, in the playbook, adding them to a variable and then parsing the JSON. Here are the steps.

       

      1. Initialize variable and add custom details (screenshots #1 & 2).
      2. Parse the JSON (screenshots #3 & 4). In this step you should update the schema to match the Custom Details names you are using in your analytics rule. You can check the output from your alert by selecting the playbook and then reviewing the 'Runs History'.
      3. Add the custom details to the email (screenshots #5 & 6).

       

      Hope that helps.

       

       

Resources