Forum Discussion

Mobile_Walk_In's avatar
Mobile_Walk_In
Copper Contributor
May 10, 2024

Send an Email with Incident Details

 I'm endeavoring to manage incident responses in Sentinel using Logic Apps. However, I'm encountering a challenge: my COMPOSE action involves multiple JSON objects. One JSON contains information about the initiating user, the next about the affected user, and so forth. The issue arises when I attempt to send an email related to the incident, as the Logic App triggers multiple emails—one for each JSON object.

My goal is to consolidate this information into a single email, providing a comprehensive overview of the incident. For instance:

"Hello, [initiating user from JSON1],

Sentinel has detected an alarm due to your recent activity involving multiple users: [affected user 1 from JSON2], [affected user 2 from JSON 3], and [affected user 3 FROM JSON4].


 

 

 

3 Replies

Sort By
    • Mobile_Walk_In's avatar
      Mobile_Walk_In
      Copper Contributor
      Jun 12, 2024
      "Thank you for your assistance! Currently, I'm endeavoring to manage incident responses in Sentinel using Logic Apps. However, I'm encountering a challenge: my COMPOSE action involves multiple JSON objects. One JSON contains information about the initiating user, the next about the affected user, and so forth. The issue arises when I attempt to send an email related to the incident, as the Logic App triggers multiple emails—one for each JSON object.

      My goal is to consolidate this information into a single email, providing a comprehensive overview of the incident. For instance:

      "Hello, [initiating user from JSON1],

      Sentinel has detected an alarm due to your recent activity involving multiple users: [affected user 1 from JSON2], [affected user 2 from JSON 3], and [affected user 3 FROM JSON4].

      Does this clarification help in understanding the situation?"
  • AllenVisser's avatar
    AllenVisser
    Copper Contributor
    May 17, 2024
    howzit bud, in what platform is this incident log being produced? Is there information being produced in any log analytics workspace tables?
    Im happy to help you write a KQL query to monitor the respective table for a result (on a recurring trigger) and then send an email with the dynamic content you require eg username, email, ip.
    Kinda using the same principle on my blog from step 6. https://allenvisser.azurewebsites.net/2024/04/24/brute-force-attacks/
    vote if you like, and respond if you wanna deep dive this 🙂

Resources