Forum Discussion
Parsing Entities from Azure Sentinel incident into Logic Apps for sending email
jainshamu The entities are stored as json so the easiest way is probably to use the parse json and create html table functions to make the data more readable. Your json schema is different to mine, so the first time just run a compose action to capture the output
Once its run once, grab the output from the compose action (we will use it to generate the schema for the parse json action), then update your logic app to the below. On the parse json action, click the 'use sample payload to generate schema' then paste in the output from your first run. Then build a HTML table (again your columns are going to be different to mine so build it with what makes sense for your entities). Then add the output of your create html table action to your email.
Then you should get an email with the table of entities. Just make sure your json schema is perfect, logic apps is really picky, if it expecting a string but gets a null for instance it will fail.
Where / How do you get the Sample Schema from for Entities?
- GBusheyOct 18, 2022Microsoft
KentuckyMike2085 You would need to run the playbook once and then in the run history you can see the various steps that were run. You can then click on one to see the input and output variables. You would be able to get the data that way.
I would also say that the way the playbook was written should be modified to use the new incident trigger as it will provide you the means to easily get the entities needed.
- KentuckyMike2085Oct 18, 2022Copper Contributor