Forum Discussion
techjunk
Jun 21, 2024Brass Contributor
Logic App Email Not Sending
Hello.
I have a Logic App that is supposed to check for Sentinel incidents every 10 minutes and send an email when an incident has been created. This only seems to work about 80% of the time and there is nothing obvious to me why emails aren't sent for all incidents captured by the query. Run history shows a status of "Succeeded" every time.
Here is the LA;
The Recurrence is 10 minutes.
Query;
SecurityIncident
| where TimeGenerated >= ago(10m)
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| where Severity != "Informational"
| where Severity != "Low"
| where Status != "Closed"
| extend AlertNum = tostring(AlertIds[0])
| extend Generated = format_datetime(datetime_utc_to_local(TimeGenerated, 'US/Eastern'), "MM/dd/yyyy hh:mm tt")
| project Title, AlertNum, IncidentNumber, Generated, Severity, Status, IncidentUrl
| join (SecurityAlert
| project SystemAlertId, Description
)
on $left.AlertNum == $right.SystemAlertId
If I run the query outside of the Logic App it always returns the incident.
Within the LA run history the indication is there are no results;
As mentioned, this work about 80% of the time, so the configuration of the Send Email step is properly setup.
Any suggestions appreciated.
No RepliesBe the first to reply