Forum Discussion

jainshamu's avatar
jainshamu
Copper Contributor
Aug 05, 2021

Parsing Entities from Azure Sentinel incident into Logic Apps for sending email

Hello,

 

We are trying to automate first level response for our Azure Sentinel Incidents, These Incidents have Custom Entities and we need to pass these Entities to Azure logic Apps so that this Entity details can be sent over an email to the End user using Logic App Connector "Send Approval Email".

 

This is how my Logic App looks in designer mode

 

Below is what we have configured in Send approval email step

 

 

None of these captures the Custom Entities that we have defined in our alert like EventID or TimeGenerated.

 

So 2 things that I can use some help with:

- How to capture Custom Entities ?
- how to parse Entities and Custom Entities for more readable format for end users who will receive this emails

  • m_zorich's avatar
    m_zorich
    Iron Contributor
    Aug 05, 2021

    jainshamu The entities are stored as json so the easiest way is probably to use the parse json and create html table functions to make the data more readable. Your json schema is different to mine, so the first time just run a compose action to capture the output

     

     

     

     

     

     

     

     

     

     

    Once its run once, grab the output from the compose action (we will use it to generate the schema for the parse json action), then update your logic app to the below. On the parse json action, click the 'use sample payload to generate schema' then paste in the output from your first run. Then build a HTML table (again your columns are going to be different to mine so build it with what makes sense for your entities). Then add the output of your create html table action to your email.

     

     

    Then you should get an email with the table of entities. Just make sure your json schema is perfect, logic apps is really picky, if it expecting a string but gets a null for instance it will fail.

      • GBushey's avatar
        GBushey
        Icon for Microsoft rankMicrosoft
        Oct 18, 2022

        KentuckyMike2085 You would need to run the playbook once and then in the run history you can see the various steps that were run.  You can then click on one to see the input and output variables.  You would be able to get the data that way.

         

        I would also say that the way the playbook was written should be modified to use the new incident trigger as it will provide you the means to easily get the entities needed.

    • Luuk_Jansen's avatar
      Luuk_Jansen
      Copper Contributor
      Sep 05, 2022

      m_zorich 

       

      When I follow your instructions, I wont see my custom entities in the output from the compose. I just see the entities that are defined in the "Entity mapping". Everything under " Custom Details" won't show up under entities.

       

       

    • jainshamu's avatar
      jainshamu
      Copper Contributor
      Aug 09, 2021
      Thanks m_zorich, this is really helpful and I could move a step forward. Email reads much better now. HTML table is not at its best now but working to format it with Initialize Variable and Set Variable connector and then passing it to email body.

Resources