Forum Discussion
Include Additional Entities Detail in Email
- Two options:
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
Have you tried making sure you're not filtering out any subsciptions in the portal settings?
Thought that might be it for a moment or two - when I looked at the settings it was filtered to 1 subscription. However, I changed the filter to All Subscriptions and the Subscription field still shows "Loading..." for 1-2 seconds then says 'No Items'. I logged out and back in to ensure it wasn't related to the session. Still nothing.
It can depend what Subscription you need. If its the Sentinel Workspace one, that is available as "Dynamic content" - search for "Subscription" in the box that pops up when you click on the Subscription field
Thank you with for your help with this. It definitely got me a couple steps closer. I still find myself hunting for the options I need. Is there a Logic Apps dev guide or learning resource someplace? I've looked and can only seem to find the standard MS Docs which don't really give me enough detail.
TIA
~dgm~
- There are loads of resources on Learn (which I think you've seen) especially in the reference section: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview
Pluralsight and Udemy (and others) have courses, but I've not done them so dont have a recommendation.
Module 9 of https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310 will also help - with a video