Forum Discussion
Parsing a Sentinel Alert through Logic App
Hi.
I'm struggling with configuring a Logic App to be ran when a Sentinel alert is triggered.
More specifically the details of the Sentinel alert being printed out via the Logic App.
The query the alert runs is:
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName contains "Add member to group"
| where parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)) contains "Fabric-RG"
| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| project TimeGenerated, OperationName, InitiatingUser, TargetUser, GroupName
This pulls up any changes (member additions) to a group with "Fabric-RG" in its name.
When running this query alone, it returns the info:
Now the info that returns in the Logic App is different, it's currently setup to print out entity friendly names, and I was wondering if anyone could help me configure it so it prints out the initiating user, target user and target group as the per the query does? I am unsure how to select those specific entities created within the query.
Any advice on this would be greatly appreciated.
Thank you.
- Not so easy to debug from a few screenshots
It may be easier to understand whats going on by casting related Entites to an array then doing filter array where the expression to be filtered is
item()?['kind'] equal to Account
then loop and look at the properties JSON and extract the two entities
