Forum Discussion
Re: Include Additional Entities Detail in Email
Two options:
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
10 Replies
- I went off to begin digging into these details but then got sidetracked by other things, you know life. And now I've come back to this. I've got queries that pull the geolocation info and I am able to get the UPN data. But I'm not sure how to "amend the Playbook to run a new KQL query". I don't see an option in the Playbook editor for running a KQL query - am I just missing something?
Okay, maybe it's not just me being a dummy. I tried using that step but the 'Subscription' field doesn't populate. I figured that it wasn't licensed on my subscription somehow. Guess I need to figure out what's causing this then.
- Great, thank you for the guidance. I'm digging into these options now.
