Add UK incident reporting compliance assistant Logic App

[TFT444]

Summary

Closes #74

Adds a new Logic App playbook (logic-apps/incident-reporting/) that acts as a UK compliance assistant for High and Critical severity Sentinel incidents. It automates the drafting and notification steps required under the Cyber Security and Resilience Bill (24-hour early-warning) and GDPR/ICO (72-hour full-report deadline) — without ever auto-submitting to any government system.

What's included

• logic-apps/incident-reporting/workflow.json — ARM template for the Logic App
• logic-apps/incident-reporting/README.md — UK regulatory context, configuration guide, and critical design notes
• logic-apps/README.md — Updated to list the new playbook alongside block-ip, isolate-endpoint, quarantine-email, and suspend-terminal

How the playbook works

1. Triggers on any Sentinel incident with severity High or Critical
2. Extracts affected entities (accounts, hosts, IPs) via the Sentinel entities API
3. Calculates the 24-hour CSR Bill deadline and 72-hour GDPR deadline from detection time
4. Composes a full HTML email with:
   • Incident title, detection timestamp, affected entities, MITRE technique, RetailShield rule ID
   • Pre-filled draft report using UK regulator structure (ICO / NCSC)
   • Both deadline timestamps highlighted
   • Official reporting links: ICO breach tool and NCSC incident management
   • Clear disclaimer that a human must review and submit
5. Emails the retailer's own designated compliance contact (configurable parameter — not any government address)
6. Posts a comment back to the Sentinel incident confirming the notification was generated and recording both deadlines

Critical design note

This playbook assists compliance — it never auto-files official government reports. That requires human judgement and legal review. False or premature government filings carry their own regulatory risk.

---

How to test

1. Deploy the ARM template to a resource group with an existing Sentinel workspace:

   az deployment group create \
     --resource-group <rg-name> \
     --template-file logic-apps/incident-reporting/workflow.json \
     --parameters workspaceName=<workspace> complianceContactEmail=<your-email> organisationName="Test Org"

2. Authorise API connections — after deployment, open the Logic App in the Azure portal and authorise both azuresentinel and office365 connections under API Connections.

3. Grant Sentinel Responder role to the Logic App's system-assigned managed identity on the Log Analytics workspace.

4. Create a test Sentinel incident with severity High or Critical in the workspace. You can do this via the Sentinel portal → Incidents → Create incident (or fire a test analytics rule).

5. Verify:

   • The designated compliance email address receives the HTML email with both deadline timestamps, the draft report, and the two official UK reporting links
   • The Sentinel incident has a new comment confirming the compliance notification was sent, with the 24h and 72h deadlines recorded
   • For a Medium or Low severity incident, confirm the playbook exits without sending an email (the Check_severity condition gates all downstream actions)

---

Generated by Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
retail-shield	Ready	Preview, Comment	Jun 5, 2026 2:00pm