Forum Discussion
Solved
Include Additional Entities Detail in Email
Hey all, I am relatively new to Sentinel and I've run across a situation I can't seem to resolve. I've enabled the "SentinelIncident" automation rule and I've configured it to run the 'Send-ema...
- Two options:
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
Two options:
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
I went off to begin digging into these details but then got sidetracked by other things, you know life. And now I've come back to this. I've got queries that pull the geolocation info and I am able to get the UPN data. But I'm not sure how to "amend the Playbook to run a new KQL query". I don't see an option in the Playbook editor for running a KQL query - am I just missing something?
Okay, maybe it's not just me being a dummy. I tried using that step but the 'Subscription' field doesn't populate. I figured that it wasn't licensed on my subscription somehow. Guess I need to figure out what's causing this then.
Have you tried making sure you're not filtering out any subsciptions in the portal settings?
