Forum Discussion
How to Include Custom Details from an Alert in Email Generated by a Playbook
I have created an analytics rule that queries Sentinel for security events pertaining to group membership additions, and triggers an alert for each event found. The rule does not create an incident. ...
Yes, I was able to get it working. Essentially, the missing piece was taking the custom details collected in the analytics rule (that are in JSON) and, in the playbook, adding them to a variable and then parsing the JSON. Here are the steps.
- Initialize variable and add custom details (screenshots #1 & 2).
- Parse the JSON (screenshots #3 & 4). In this step you should update the schema to match the Custom Details names you are using in your analytics rule. You can check the output from your alert by selecting the playbook and then reviewing the 'Runs History'.
- Add the custom details to the email (screenshots #5 & 6).
Hope that helps.
How to add this step in Email Notifications incident Format playbook. Email Incident Format having limited entities field and not extracting custom details. Could you please help ?