Forum Discussion
Custom Alerts output in logic App
Hello, I have a created a custom alert to notify when there is a user added or deleted to Active Directories. This query list down the few values which I would like to use them in Logic APP to trigg...
In that case you can use the Azure Sentinel Entities action to get the different type of Entities (Accounts, FileHashes, Hosts, IPs, and URLs) to get the data. The information is stored as a JSON array, since you can have multiple entries in each, so you will need to parse the JSON after to get to the individual entry in each one.
How does this work for custom entities, that are not defined under entity mapping?
Actually, the query used to trigger the alert is also included within the extended properties of the alert trigger, so retrieving the same data again to add to an email is not impossible.
https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/04/27/azure-sentinel-adding-the-query-data-to-an-alert-in-a-playbook/
It appears to not be supported officially due to some unreliable factors, so responsibility falls on the user I guess but I have used it successfully in the past. I really wish they could support this usage officially.
https://docs.microsoft.com/en-us/connectors/azuresentinel/#restoring-alerts-original-query-is-currently-not-supported-via-logic-apps
