I need your assistance in creating a playbook using Logic Apps for Azure Sentinel.
In Sentinel, I have an analytical rule for Impossible travel activity which runs every 4 hours and looks for data every 4 hours, now when the query returns the result it usually comes up with 1 or more results(usually known as events). The problem is that when it returns more than 1 result how will the playbook trigger for every event that has been triggered?
Alert contains these 2 events:
A has traveled to so and so locations in so and so time .
B has traveled to so and so locations in so and so time.
When the playbook is triggered will it trigger both and create 2 service now records as specified in the playbook? Will it create for only the first one or second one or neither?
Have you had any luck so far encountering anything like this and have found a way out of this? Should the changes be made in the playbook or the schedule of the alerts.
@Pranesh1060 Try using the GetAccounts action in the Azure Sentinel logic app connector. It will return all the Accounts for the Incident so, in your case, it should have the various users. Then do a loop through the values and create a ticket for each one .
I am doing exactly that, but when the alert is triggered instead of the event details the alert details are being published, which has no info about the event that has occurred and contains the exact query in the extended properties column, I am not sure where exactly is it going wrong.