Azure Sentinel Logic App Action Incident ID

ryanksmith GaryBushey Molx32 This only works for alert rules that are query based, because you can attach a playbook to them on the Automated Response tab. But what about the Microsoft Security rules like Create incidents based on Azure ATP alerts, or MCAS alerts. You can't attach a playbook to those. So how do you get it to automatically log a a SNOW incident lets say, or send an email whenever an Azure Sentinel incident of such type is created? I couldn't find a way other than a logic app which gets all newly created security alerts from the Microsoft Graph than takes the Alert ID and checks if an Azure Sentinel incident exists with that alert ID, and if it does continues with actions like log a SNOW ticket and send an email notification. But it's messy and doesn't really work as expected (sometimes it generates duplicate incidents). Anyway if anyone has any idea on how you could, at the moment and with the current functionalities, create a logic app which gets all newly created Azure Sentinel incidents and that you could set to run automatically so you could also get the Microsoft Security rules incidents, please kindly share. Hope the above makes sense.