Forum Discussion
ameri1805
Jan 02, 2023Copper Contributor
Extract query results from sentinel incident trigger logic app connector
Folks, Does anyone know if it’s possible to do the following: We have an analytic rule powered by a very simple query (2-line query) The results would produce results like these (If you were to ru...
Clive_Watson
Bronze Contributor
The SecurityAlert Table has the query, so you can always use the Logic Apps to extract and re-run that.
The Incident payload is kept brief, so only brings back minimal data by design, so if you need all the columns, you can re-run the query from the Alert or if its really is 2 lines, then just run it again.
Just be aware that if the original query was scoped to a small duration like 5mins, by the time the Logic Apps runs you may need to change the scope to capture the same time period
The Incident payload is kept brief, so only brings back minimal data by design, so if you need all the columns, you can re-run the query from the Alert or if its really is 2 lines, then just run it again.
Just be aware that if the original query was scoped to a small duration like 5mins, by the time the Logic Apps runs you may need to change the scope to capture the same time period
ameri1805
Jan 03, 2023Copper Contributor
Clive_Watson thanks for the reply. Yes I figured that if something as straightforward as this didn't get an answer very quickly, there was no way to do it just with the "Microsoft Sentinel Incident" connector.