Automatically add tags to incidents


Truth be told, I had this working a long time ago, it just took me way too long to figure out how to export the Logic Apps into working ARM templates!

I am sure you know you can tag incidents after they are created. Wouldn’t it be great if you could do this automatically? This post will tell you how to do that.

It will take a logic app that creates a watchlist with all the analytic rules in it. Then you modify the watchlist to add the tags you want associated with each rule. Finally, there is a playbook that will use this watchlist to add the tags to the incident.

All the needed files can be done at garybushey/autopopulateincidenttags: (

Create the watchlist

I created a logic app called “Create-RulesWatchlistForTags” that I have scheduled to run weekly. What it will do is:

  1. Make a REST API call to get all the analytic rules
  2. Try to get a list of all the items for the watchlist called “RuleTags”
    1. If that fails, I assume the watchlist doesn’t exist so create it.
    2. It will create the watchlist adding the “Id”,”Title”,”Enabled”, and “RuleTags” columns. One dummy entry is also created because the logic app connector requires it.
  3. It then goes through each rule and
    1. Check to see if the rule exists in the watchlist. I just do a simple comparison here otherwise I would need to not only loop through the rules but then I would have to loop through each entry in the watchlist to see if there is an exact match. This should work for 95% of the rules. If you have a rule called “Rule 12” and add another called “Rule 1′ then “Rule 1” will not be added since it matches against “Rule 12″‘s entry.
    2. If the rule does not exist in the watchlist, add it.

Nothing too fancy or tricky here.

Editing the watchlist

This is simple enough to do. Go to the watchlist, select it, and under the “Update watchlist” header, select “Edit watchlist items”. Depending on how many rules you have, this could take a while, but you only need to do it once.

Each tag you want to add needs to be semi-colon delimited. If that doesn’t work for you, you can change the delimiter in the “Update-RulesAddAutoTag” logic app where the rules are split into an array.

Adding the tags to the incident

The “Update-RulesAddAutoTag” playbook is set to run whenever a new incident is generated. You will need to create an automation rule to call it upon incident creation, but I am sure you know how to do that.

This playbook performs the following actions:

  1. Gets all the watchlist items for the “RuleTags” watchlist. I would be great if there was a connector that allowed you to get an item from the watchlist based on its search column, but right now you can only do it via the internal ID which is a GUID.
  2. Initialize a couple of variables being used later. “TagsToAdd” will hold the JSON that will be used to create the tags and “RuleTags” is used to hold the tags that get split apart later on.
  3. For each watchlist item from Step 1
    1. Loop through each rule in the incident. I was wondering why this can hold multiple values until I happened to look at an incident created from the “Fusion” rule. Those incidents can have multiple rules associated with them.
    2. Does the rule name (typically a GUID except for the Fusion rule) equal the “Id” column in the watchlist that we added when we created the watchlist.
      1. If it does, split apart the listing of tags that is saved with this watchlist item.
      2. For each rule we then need to check to see if this is the first time we ran through the loop. If it isn’t, we need to add a comma to JSON string we are building so that the JSON is correctly formatted.
      3. We then add the JSON that is needed to add a single tag to the “TagsToAdd” variable
      4. Once we have all the tags added, we update the incident with the tags. In the “Update incident” action, I switched the tags section to use JSON rather than entering each tag individually. This allows all the tags to be added at once. One thing is I had to use the “json()” expression to convert the “TagsToAdd” variable into a JSON string that the action would recognize.

Adding the logic apps to your environment

This is fairly easy. In the Azure portal, look for the “Deploy a custom template” service. As the name implies, this will allow you to easily add a new resource using an ARM template. Open each template’s JSON file and, one at a time, add the templates.

Once the logic apps have been added, you need to go to each one, select “Identity” and grant the System Assigned managed identity the “Microsoft Sentinel Contributor” role. You also will need to verify that the connections are set correctly in the logic apps to function correctly.

I am working on getting the “Deploy to Azure” button working so hopefully that will be added soon.


In this post, I went through what is needed to automatically add tags to incidents that were created. You can easily take this framework and modify as needed. For instance, instead of adding tags based on the rule that created it, you could look for people in the entities and add the tags that way. The principal is still the same.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.