История

Lior Tamir aad48299ca Update playbook trigger names		2022-02-22 17:02:56 +02:00
..
images	Move instruction images from main images folder	2021-07-11 21:36:01 +03:00
readmeImages	Move instruction images from main images folder	2021-07-11 21:36:01 +03:00
azuredeploy.json	Update playbook trigger names	2022-02-22 17:02:56 +02:00
readme.md	Move instruction images from main images folder	2021-07-11 21:36:01 +03:00

readme.md

Incident-Assignment-Shifts

author: Jeremy Tan

version: 2.2

This playbook will assign an Incident to an owner based on the Shifts schedule in Microsoft Teams.

Pre-requisites:

Ensure you have the following details:

1. User account or Service Principal or Managed Identity with Azure Sentinel Responder role

Create or use an existing user account/ Service Principal/ Managed Identity with Azure Sentinel Responder role.
This will be used in Azure Sentinel connectors (Incident Trigger, Update incident & Add comment to incident) and a HTTP connector.
This example will walk you through using System Managed Identity for the above connectors.

2. Setup Shifts schedule

You must have the Shifts schedule setup in Microsoft Teams.
The Shifts schedule must be published (Share with team).

3. User account with Owner role in Microsoft Teams

Create or use an existing user account or managed identity with Owner role in a Team.
The user account will be used in Shifts connector (List all shifts).

4. User account or Service Principal with Log Analytics Reader role

Create or use an existing user account or Service Principal with Log Analytics Reader role on the Azure Sentinel workspace.
The user account or Service Principal will be used in Azure Monitor Logs connector (Run query and list results).

5. An O365 account to be used to send email notification

The user account will be used in O365 connector (Send an email).

Post Deployment Configuration:

1. Enable Managed Identity and configure role assignment

Once deployed, go to the Logic App's blade and click on Identity under Settings.
Select On under the System assigned tab. Click Save and select Yes when prompted.
Click on Azure role assignments to assign role to the Managed Identity.

Click on + Add role assignment.
Select Resource group under Scope and select the Subscription and Resource group where the Azure Sentinel Workspace is located. Select Azure Sentinel Responder under Role and click Save.

2. Configure connections

Edit the Logic App or go to Logic app designer.
Expand each step to find the following connectors (6 in total) with .
1. Incident Trigger
2. Update Incident
3. Add comment to incident
4. List all shifts
5. Run query and list results
6. Send an email
Fix these connectors by adding a new connection to each connector and sign in with the accounts described under pre-requisites.

3. Select the Shifts schedule

Edit the Logic App or go to Logic app designer.
Find the List all shifts connector, click on the X sign next to Team field for the drop-down list to appear.
Select the Teams channel with your Shifts schedule from the drop-down list.
Save the Logic App once you have completed the above steps.

Incident Assignment Logic:

Incidents are assigned to users based on the following criteria:

Only users who have started their shifts during the time the Logic App runs will be considered.
Users who still have at least 1 hours left before going off shift.

You can change this value by modifying the below variable:
User with the least incidents assigned on the current Shift will be assigned incident first.

Email Notification:

When an incident is assigned, the incident owner will be notified via email.
Below is the sample email notification:
The email body has a banner with colour mapped to incident's severity (High=red, Medium=orange, Low=yellow and Informational=grey).