Security teams often face the requirement to report on incidents to management or other stakeholders who do not have access to the security toolkit.
In some cases dashboards or Power BI can satisfy these needs, but for many organisations it is still the case that certain processes call for good-old Office document based reporting.
I’ve lately been thinking about ways to automate these workflows as much as possible, and in this blog post I describe a quick proof-of-concept for automated reporting from Azure Sentinel to a preformatted Word document stored in Sharepoint.
There are some restrictions in this solution that you need to be aware of:
- You need a Power Automate license (in order to run the MS Word actions in Logic Apps).
- The data model I use in this example is extremely simple and sparse, but hopefully it will give an idea on the possibilities.
- There is no Automation Rule for now, just a Playbook that needs to be run manually from an alert. If Sentinel someday gets the capability to run Automation Rules later in the incident lifecycle instead of just for new incidents, this can be revisited.
- Real world incident reporting does not rely only on automated output from a SIEM, but also work logs from a ticketing system, comments from third parties, screenshots etc. SIEM reporting is complimentary and it’s value varies by case and organisation.
You need to create a template document with the static texts and formatting you want the report to have - and add Content Controls that map to whatever data you want to get from Sentinel.
Use the Design Mode feature from Word Developer tools. I’ve attached a couple of tutorial links below in the Resources section, that will help with this step more than I can focus on here.
My example template looks like this:
The template needs to be stored in a SharePoint site that the Playbook can read.
Your playbook will have two relevant actions: “Populate a Microsoft Word template” and “Create file (Sharepoint)”.
The first action loads the template document from our SharePoint site and maps our attributes to fields found in the template:
After populating the template, we can create a new report file in a specified Sharepoint site:
After running the playbook from an alert, we find a new file in our SharePoint site:
The report file looks like this: