Forum Discussion
Mobile_Walk_In
May 10, 2024Copper Contributor
Send an Email with Incident Details
I'm endeavoring to manage incident responses in Sentinel using Logic Apps. However, I'm encountering a challenge: my COMPOSE action involves multiple JSON objects. One JSON contains information about the initiating user, the next about the affected user, and so forth. The issue arises when I attempt to send an email related to the incident, as the Logic App triggers multiple emails—one for each JSON object.
My goal is to consolidate this information into a single email, providing a comprehensive overview of the incident. For instance:
"Hello, [initiating user from JSON1],
Sentinel has detected an alarm due to your recent activity involving multiple users: [affected user 1 from JSON2], [affected user 2 from JSON 3], and [affected user 3 FROM JSON4].
3 Replies
Sort By
- Mobile_Walk_InCopper Contributor"Thank you for your assistance! Currently, I'm endeavoring to manage incident responses in Sentinel using Logic Apps. However, I'm encountering a challenge: my COMPOSE action involves multiple JSON objects. One JSON contains information about the initiating user, the next about the affected user, and so forth. The issue arises when I attempt to send an email related to the incident, as the Logic App triggers multiple emails—one for each JSON object.
My goal is to consolidate this information into a single email, providing a comprehensive overview of the incident. For instance:
"Hello, [initiating user from JSON1],
Sentinel has detected an alarm due to your recent activity involving multiple users: [affected user 1 from JSON2], [affected user 2 from JSON 3], and [affected user 3 FROM JSON4].
Does this clarification help in understanding the situation?"
- AllenVisserCopper Contributorhowzit bud, in what platform is this incident log being produced? Is there information being produced in any log analytics workspace tables?
Im happy to help you write a KQL query to monitor the respective table for a result (on a recurring trigger) and then send an email with the dynamic content you require eg username, email, ip.
Kinda using the same principle on my blog from step 6. https://allenvisser.azurewebsites.net/2024/04/24/brute-force-attacks/
vote if you like, and respond if you wanna deep dive this 🙂