Forum Discussion
Include Additional Entities Detail in Email
- Two options:
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
Okay, maybe it's not just me being a dummy. I tried using that step but the 'Subscription' field doesn't populate. I figured that it wasn't licensed on my subscription somehow. Guess I need to figure out what's causing this then.
Have you tried making sure you're not filtering out any subsciptions in the portal settings?
Thought that might be it for a moment or two - when I looked at the settings it was filtered to 1 subscription. However, I changed the filter to All Subscriptions and the Subscription field still shows "Loading..." for 1-2 seconds then says 'No Items'. I logged out and back in to ensure it wasn't related to the session. Still nothing.
It can depend what Subscription you need. If its the Sentinel Workspace one, that is available as "Dynamic content" - search for "Subscription" in the box that pops up when you click on the Subscription field
