Send an Email with Incident Details

Copper Contributor

 I'm endeavoring to manage incident responses in Sentinel using Logic Apps. However, I'm encountering a challenge: my COMPOSE action involves multiple JSON objects. One JSON contains information about the initiating user, the next about the affected user, and so forth. The issue arises when I attempt to send an email related to the incident, as the Logic App triggers multiple emails—one for each JSON object.

My goal is to consolidate this information into a single email, providing a comprehensive overview of the incident. For instance:

"Hello, [initiating user from JSON1],

Sentinel has detected an alarm due to your recent activity involving multiple users: [affected user 1 from JSON2], [affected user 2 from JSON 3], and [affected user 3 FROM JSON4].


Mobile_Walk_In_0-1718207879787.png

 

 

 

3 Replies
howzit bud, in what platform is this incident log being produced? Is there information being produced in any log analytics workspace tables?
Im happy to help you write a KQL query to monitor the respective table for a result (on a recurring trigger) and then send an email with the dynamic content you require eg username, email, ip.
Kinda using the same principle on my blog from step 6. https://allenvisser.azurewebsites.net/2024/04/24/brute-force-attacks/
vote if you like, and respond if you wanna deep dive this 🙂

@Mobile_Walk_In 

 

Can further elaborate which portion stuck on?

"Thank you for your assistance! Currently, I'm endeavoring to manage incident responses in Sentinel using Logic Apps. However, I'm encountering a challenge: my COMPOSE action involves multiple JSON objects. One JSON contains information about the initiating user, the next about the affected user, and so forth. The issue arises when I attempt to send an email related to the incident, as the Logic App triggers multiple emails—one for each JSON object.

My goal is to consolidate this information into a single email, providing a comprehensive overview of the incident. For instance:

"Hello, [initiating user from JSON1],

Sentinel has detected an alarm due to your recent activity involving multiple users: [affected user 1 from JSON2], [affected user 2 from JSON 3], and [affected user 3 FROM JSON4].

Does this clarification help in understanding the situation?"