Forum Discussion
Solved
Help me add a column from sentinel logs into Analytic rule alert.
Hello all,
I created an analytic rule that I want to pull data from and push into an automated email alert.
I already have a playbook where it automatically sends an email alert to me when the criteria is met.
Attached is a screenshot of the data field I want to pull, and there is also a screenshot of the alert that is sent to me that I wish to include the log information, as well as a screenshot of the logic app that makes the alert.
My theory is that I have to modify the dynamic content inside of my logic app used to send out the automatic alert?
Any guidance or answers on this would be greatly appreciated.
Thanks
- Hi, is the data filed an entity you wish to use, this article is a great primer on how to do that. https://techcommunity.microsoft.com/t5/microsoft-sentinel/parsing-entities-from-azure-sentinel-incident-into-logic-apps/m-p/2614388
and
https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC%2Cincidents
and
https://learn.microsoft.com/en-us/azure/sentinel/tutorial-enrich-ip-information
You also have the option to do a Logs Query in the Logic App in a seperate step to extract any other data you might need.
1 Reply
- Hi, is the data filed an entity you wish to use, this article is a great primer on how to do that. https://techcommunity.microsoft.com/t5/microsoft-sentinel/parsing-entities-from-azure-sentinel-incident-into-logic-apps/m-p/2614388
and
https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC%2Cincidents
and
https://learn.microsoft.com/en-us/azure/sentinel/tutorial-enrich-ip-information
You also have the option to do a Logs Query in the Logic App in a seperate step to extract any other data you might need.