Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Incident-Assignment-Shifts
История
Sarah Young 4471ee74e6
Merge pull request #1124 from Azure/Incident-Assignment-Shifts_Update_ReadMe 
Update readme.md
 		2020-09-29 17:35:53 +13:00
..
azuredeploy.json Added email notification to the playbook 2020-09-29 12:31:20 +10:00
readme.md Update readme.md 2020-09-29 12:37:23 +10:00

readme.md

Incident-Assignment-Shifts

author: Jeremy Tan

This playbook will assign an Incident to an owner based on the Shifts schedule in Microsoft Teams.

Deploy to Azure Deploy to Azure Gov

Pre-requisites:

Ensure you have the following details to hand:

1. Sentinel Workspace details

  • Workspace Name.

  • Workspace Resource Group Name.

2. Service Principal

Create or use an existing Service Principal with the Azure Sentinel Responder role.

Steps to create a new Service Principal:

Follow the steps in this link:

  • Register an application to Azure AD and create a Service Principal.

  • Create a new application secret.

  • Assign a role to the application (assign the Azure Sentinel Responder role).

3. Shifts for Teams

  • You must have the Shifts schedule setup in Microsoft Teams.

  • The Shifts schedule must be published (Share with team).

4. Permission on Azure AD

  • There is an Azure AD connector in this Logic App to get details for a user.
  • To use the Azure AD connector, you need to Sign-in with an account with the following administrator permissions:
    • Group.ReadWrite.All
    • User.ReadWrite.All
    • Directory.ReadWrite.All

5. An O365 account to be used to send email notification

  • Login details of the O365 account.

Post Deployment Configuration:

  • Once deployed, edit the Logic App and find the connectors (5 in total) that has been marked with .

  • Fix these connectors by adding a new connection to each connector within your Logic App and sign in to authenticate.

  • For the Shifts connector, make sure you have selected the Teams channel with a Shifts schedule.

  • Save the Logic App once you have completed the above steps.

Incident Assignment Logic:

Incidents are assigned to users based on the following criteria:

  • Users who are on shift during the time that the incident is triggeres and the Logic App runs.

  • Users who still have at least 1 hours left before going off shift.

    You can change this value by modifying the below variable:

  • Users who have had the fewer incidents assigned to them over the past 24 hours will be assigned incident first.

  • If an incident is already assigned to someone, triggering this Playbook will not perform reassignment.

    Although not recommended, but you can modify the following variable to allow reassignment:

Email Notification:

  • When an incident is assigned, the incident owner will be notified via email.

  • Below is the sample email notification:

  • The email body has a banner with colour mapped to incident's severity (High=red, Medium=orange, Low=yellow and Informational=grey).