The purpose of this article is to provide the CyberZentinel community a Solution that:
· Include “Reporting” as part of one of the features you can implement in Sentinel.
· Improve data flow strategy by creating custom reports.
· Enhance analysis and investigation creating daily, weekly or monthly reports.
Steps are in essence to implement a Logic App, with a time recurrence trigger then collect the needed data based on the business and send it via email with a predefined frequency.
Find here the logic app code I used as template:
High Level Steps
1. Go to the Azure portal and open the logic apps section:
2. Click on add a new logic app:
3. Fill in the logic app creation wizard with the needed information, make sure it is aligned with the same resource group and location as the Log Analytics Workspace in Sentinel. Select Consumption as the Plan type and no need of zone redundancy.
4. Once the logic app is created, you will need to go to Workflows and add a new stateful workflow:
5. Once the workflow is created, open it and go to Workflows and then Designer.
6. After this go to Designer you will be able to create an app using the designer flow technique. Where you can easily select components and organize them accordingly to your needs, like in the example below:
Check below the detailed steps to configure each component of the logic app:
a) You will need first, to define a trigger or operation to create your workflow. In this case we will use a Scheduled Recurrence trigger, to make it happen every 7 days:
b) After the trigger is configured, you can add a new step. For our purpose we will do a Log Analytics query, reason why you will need to select the Run Query and Visualize Results operation under Azure > Azure Monitor Logs:
c) Once the operation is selected you will need to fill it in with the corresponding data and query you need to run and capture results:
d) After you configure the query operation, you will be able to send the data from the query via email using a new operation under Azure > Office 365 Outlook > Send an Email (V2)
e) You need now to fill in the sections of the send email operation to create a new email template that could look like this:
f) At this point you might ask yourself; how can I add the results from each query ran to the email body or attachment? Well allow me to help you. In the email Body you can call “dynamic content” and under dynamic content you can all the Attachment Content for each one of the queries you ran previously in the workflow. This screenshot explains it better, as you can see each operation has its own name and so a corresponding Attachment Content for each one. You will just need to call the correct attachment content in the body and those results will show up when the email is sent.
g) After you complete your workflow, click save and go to Overview, then click in Run Trigger. This will start the app and it will run for its first time. You can view the status of the run below.
The final email will look similar to the output below:
