Forum Discussion
Solved
Include Additional Entities Detail in Email
Hey all, I am relatively new to Sentinel and I've run across a situation I can't seem to resolve. I've enabled the "SentinelIncident" automation rule and I've configured it to run the 'Send-ema...
- Two options:
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
It can depend what Subscription you need. If its the Sentinel Workspace one, that is available as "Dynamic content" - search for "Subscription" in the box that pops up when you click on the Subscription field
Thank you with for your help with this. It definitely got me a couple steps closer. I still find myself hunting for the options I need. Is there a Logic Apps dev guide or learning resource someplace? I've looked and can only seem to find the standard MS Docs which don't really give me enough detail.
TIA
~dgm~
Once again, thank you for the help. I'll dig around in this and see if there are some answers.
TY
~dgm~
- There are loads of resources on Learn (which I think you've seen) especially in the reference section: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview
Pluralsight and Udemy (and others) have courses, but I've not done them so dont have a recommendation.
Module 9 of https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310 will also help - with a video