Update readme.md
This commit is contained in:
Matt Egen
GitHub
Родитель
cda23a4f69
Коммит
36f5a00b37
|
|
@ -1,4 +1,4 @@
|
|||
#Scheduled CSV Exports to Email
|
||||
# Scheduled CSV Exports to Email
|
||||
----
|
||||
Author: Matt Egen
|
||||
|
||||
|
|
@ -8,16 +8,16 @@ mattegen@microsoft.com
|
|||
|
||||
Do you have a need to run scheduled exports of data from your Azure Sentinel environment? If so, this is the Playbook for you! Running on a daily recurrence trigger it exports data from Azure Sentinel on a daily/weekly/monthly scheudule as a .csv file via SMTP email connection using a WatchList() as the data source for the reports
|
||||
|
||||
##Connectors and Prerequisites
|
||||
## Connectors and Prerequisites
|
||||
----
|
||||
###SMTP Email
|
||||
###### SMTP Email
|
||||
|
||||
This Playbook uses the built in SMTP connector for Azure Logic Apps. Unlike the built-in Outlook mail connector, you do not need to have an O365 account to send email via the SMTP connector, but you need to do some configuration and make some decisions. If you're using O365, you can send email via your public facing SMTP server endpoint (See: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365 for more details. You will need to decide if you are going to need to send *authenticated* or *unauthenticated* email. For example, if the email your sending is going to an internal only email address, then you can send it unauthenticated and do not even need a mailbox in O365. However, if you want to send an email to an address outside of your domain, then you can **only** send it as an authenticated user and that will require that the user account have a mailbox.
|
||||
|
||||
###Watchlist
|
||||
###### Watchlist
|
||||
Report items are based on a schedule of daily, weekly, or monthly and are stored in a watchlist called "Reporting". The Playbook executes an Azure Monitor Logs query for the various reports using a query like this: "\_GetWatchlist("Reporting") | where Schedule == "Daily"". It then iterates through the returned values to run the reports and send the emails out.
|
||||
|
||||
###Watchlist Structure
|
||||
###### Watchlist Structure
|
||||
The watchlist has a set structure that you have to follow. I've included a sample in this repo.
|
||||
Title: The name of the report. This is used in the subject line of the email, the body of the email, and as the filename for the .CSV attachment
|
||||
Schedule: The schedule to run the report. Acceptable values: Daily, Weekly, Monthly (please note it is cAsE sEnSiTiVe)
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче