How to Include Custom Details from an Alert in Email Generated by a Playbook
I have created an analytics rule that queries Sentinel for security events pertaining to group membership additions, and triggers an alert for each event found. The rule does not create an incident. Within the rule logic, I have created three “custom details” for specific fields within the event (TargetAccount, MemberName, SubjectAccount). I have also created a corresponding playbook for the purpose of sending an email to me when an alert is triggered. The associated automation rule has been configured and is triggered in the analytics rule. All of this is working as expected. When a member is added to a security group, I receive an email.
The one remaining piece is to populate the email message with the custom details that I’ve identified in the rule. However, I’m not sure how to do this. Essentially, I would like the values of the three custom details shown in the first screenshot below to show up in the body of the email, shown in the second screenshot, next to their corresponding names.
So, for example, say Joe Smith is added to the group “Admin” by Tom Jones. These are the fields and values in the event that I want to pull out.
TargetAccount = AdminMemberName = Joe SmithSubject Account = Tom Jones
The custom details would then be populated as such:
Security_Group = AdminMember_Added = Joe SmithAdded_By = Tom Jones
and then, the body of the email would contain:
Group: AdminMember Added: Joe SmithAdded By: Tom Jones
I have created an analytics rule that queries Sentinel for security events pertaining to group membership additions, and triggers an alert for each event found. The rule does not create an incident. Within the rule logic, I have created three “custom details” for specific fields within the event (TargetAccount, MemberName, SubjectAccount). I have also created a corresponding playbook for the purpose of sending an email to me when an alert is triggered. The associated automation rule has been configured and is triggered in the analytics rule. All of this is working as expected. When a member is added to a security group, I receive an email. The one remaining piece is to populate the email message with the custom details that I’ve identified in the rule. However, I’m not sure how to do this. Essentially, I would like the values of the three custom details shown in the first screenshot below to show up in the body of the email, shown in the second screenshot, next to their corresponding names. So, for example, say Joe Smith is added to the group “Admin” by Tom Jones. These are the fields and values in the event that I want to pull out.TargetAccount = AdminMemberName = Joe SmithSubject Account = Tom JonesThe custom details would then be populated as such:Security_Group = AdminMember_Added = Joe SmithAdded_By = Tom Jonesand then, the body of the email would contain:Group: AdminMember Added: Joe SmithAdded By: Tom Jones Read More