question

jcna avatar image
0 Votes"
jcna asked ·

Azure Sentinel Alert Queries to Slack

Hello,

I am trying to configure sending alert queries to Slack and having some issues with displaying the information proper. I have a scheduled alert from Azure Sentinel, and displays data like so to Slack:

Excessive Windows logon failures (copy)User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.[{"$id":"3","HostName":"xx1010003","Type":"host"}, Is there a way to make a link to the query when posting the message to Slack and sanitize the message sent? My current Logic App flows are: 1. When a response to an Azure Sentinel alert is triggered 2. Run query and list results 3. Post Message (Slack) The other way i have it is eliminating Step 2 completely, and Slack always outputs the message but when I put the dynamic content expressions.. It doesn't seem to capture the alert name at all and just leaves it as [alert name][sourceip] "investigated"

Thoughts?

azure-logic-appsazure-sentinel
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Could you share a screenshot of your workflow and/or the definition JSON (removing any sensitive information)?

0 Votes 0 ·

Sorry for the delay.

I have set up the following, but getting this output. I am trying to make the alarm output attractive for analysts to review.

68481-2021-02-15-17-35-28-sentinelss.png


68429-2021-02-15-19-02-53-slack.png


0 Votes 0 ·
PramodValavala-MSFT avatar image
0 Votes"
PramodValavala-MSFT answered ·

Based on the screenshot you've shared, instead of just using the tokens one after the other, you would have to follow formatting rules for slack messages.

For example, to create a link with text as shown in their docs, you would need to use something like this - <*Incident URL Token*|Incident URL (or any text you need)>


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

<Incident URL Token|Incident URL (or any text you need)>

In this case, incident URL should populate as any text ?

What about if i want to populate with source/destination IP if this were network traffic? For example, fire wall alarms. Can this be done through incident trigger or via query?

0 Votes 0 ·

That should be possible as well but would involve parsing the data from the Sentinel Alert to get the required details and then is just a matter of replacing Incident URL (or any text you need) in the above.

0 Votes 0 ·
jcna avatar image
0 Votes"
jcna answered ·

I will review and keep you updated.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jcna avatar image
0 Votes"
jcna answered ·

Still not getting the right output..

         "Post_message": {
             "inputs": {
                 "host": {
                     "connection": {
                         "name": "@parameters('$connections')['slack']['connectionId']"
                     }
                 },
                 "method": "post",
                 "path": "/chat.postMessage",
                 "queries": {
                     "channel": "security-alert-testing",
                     "text": "@{body('Alert_-_Get_incident')?['properties']?['title']}@{body('Alert_-_Get_incident')?['properties']?['createdTimeUtc']}@{body('Alert_-_Get_incident')?['properties']?['incidentUrl']}\n"
                 }

Based on the slack link im not sure how to edit this proper as im doing dynamic calls for the alert and url to display. The doc provided has it for manual links. Can you point in the direction of how to parse it to display
Alert Name/Type , Source, Destination, URL (shortened version)

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.