Automated incident reporting from Azure Sentinel to Microsoft Word

Mikko Koivunen


Security teams often face the requirement to report on incidents to management or other stakeholders who do not have access to the security toolkit.

In some cases dashboards or Power BI can satisfy these needs, but for many organisations it is still the case that certain processes call for good-old Office document based reporting.

I’ve lately been thinking about ways to automate these workflows as much as possible, and in this blog post I describe a quick proof-of-concept for automated reporting from Azure Sentinel to a preformatted Word document stored in Sharepoint.

There are some restrictions in this solution that you need to be aware of:

Report template

You need to create a template document with the static texts and formatting you want the report to have - and add Content Controls that map to whatever data you want to get from Sentinel.

Use the Design Mode feature from Word Developer tools. I’ve attached a couple of tutorial links below in the Resources section, that will help with this step more than I can focus on here.

My example template looks like this:


The template needs to be stored in a SharePoint site that the Playbook can read.

Playbook overview

Your playbook will have two relevant actions: “Populate a Microsoft Word template” and “Create file (Sharepoint)”.

The first action loads the template document from our SharePoint site and maps our attributes to fields found in the template:

Logic App screenshot

After populating the template, we can create a new report file in a specified Sharepoint site:

Logic App screenshot


After running the playbook from an alert, we find a new file in our SharePoint site:

Logic App screenshot

The report file looks like this:

Logic App screenshot