Extracting Additional Data for E-mail Alert via Playbook

%3CLINGO-SUB%20id%3D%22lingo-sub-1093090%22%20slang%3D%22en-US%22%3EExtracting%20Additional%20Data%20for%20E-mail%20Alert%20via%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1093090%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20logic%20app%20setup%20to%20be%20used%20for%20email%20alerting%20with%20one%20of%20my%20scheduled%20queries.%20I%20am%20able%20to%20pull%20out%20the%20entity%20data%20such%20as%20Account%2C%20Host%2C%20IP%2C%20etc.%2C%20but%20is%20there%20a%20way%20to%20pull%20out%20other%20sets%20of%20data%20as%20well%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20my%20email%20alert%20will%20provide%20be%20with%20the%20mapped%20entities%20mentioned%20above%2C%20but%20I%20have%20additional%20fields%20that%20display%20data%20that%20I%20need%20in%20my%20email%20alert%20as%20well%2C%20is%20it%20possible%20to%20extract%20this%20in%20the%20Sentinel%20connector%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3ESean%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094128%22%20slang%3D%22en-US%22%3ERe%3A%20Extracting%20Additional%20Data%20for%20E-mail%20Alert%20via%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094128%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113720%22%20target%3D%22_blank%22%3E%40Sean%20Hecht%3C%2FA%3E%26nbsp%3BWhat%20you%20see%20in%20the%20list%20of%20dynamic%20content%20is%20everything%20that%20the%20Azure%20Sentinel%20connector%20will%20return.%20If%20you%20have%20additional%20fields%20you%20would%20like%20to%20be%20available%20I%20would%20suggest%20creating%20a%20new%20entry%20in%20the%20Azure%20Sentinel%20feedback%20page%20at%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20that%20being%20said%2C%20you%20can%20may%20REST%20calls%20inside%20of%20Playbooks%20where%20you%20can%20get%20more%20information%20from%20the%20unsupported%20(so%20far)%20Azure%20Sentinel%20REST%20API%20located%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWortell%20has%20created%20some%20great%20PowerShell%20commands%20using%20this%20API%20that%20you%20could%20use%20as%20a%20basis%20for%20your%20calls.%26nbsp%3B%20They%20are%20located%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094935%22%20slang%3D%22en-US%22%3ERe%3A%20Extracting%20Additional%20Data%20for%20E-mail%20Alert%20via%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094935%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113720%22%20target%3D%22_blank%22%3E%40Sean%20Hecht%3C%2FA%3E%26nbsp%3BI%20did%20something%20similar%20with%20one%20of%20my%20logic%20apps.%20I%20had%20to%20create%20custom%20expressions%20using%20%22triggerbody()%3F%22%20in%20order%20to%20extract%20some%20of%20the%20other%20fields.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20link%20may%20be%20helpful%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Fworkflow-definition-language-functions-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Fworkflow-definition-language-functions-reference%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096508%22%20slang%3D%22en-US%22%3ERe%3A%20Extracting%20Additional%20Data%20for%20E-mail%20Alert%20via%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096508%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F418279%22%20target%3D%22_blank%22%3E%40leoszalkowski%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20Appreciate%20the%20responses%2C%20will%20look%20into%20both.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173221%22%20slang%3D%22en-US%22%3ERe%3A%20Extracting%20Additional%20Data%20for%20E-mail%20Alert%20via%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173221%22%20slang%3D%22en-US%22%3EHi%20Sean%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20managed%20to%20resolve%20this%2C%20and%20if%20so%2C%20do%20you%20mind%20sharing%20your%20steps%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1174069%22%20slang%3D%22en-US%22%3ERe%3A%20Extracting%20Additional%20Data%20for%20E-mail%20Alert%20via%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1174069%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113720%22%20target%3D%22_blank%22%3E%40Sean%20Hecht%3C%2FA%3E%26nbsp%3BHi%20Sean%2C%20apart%20from%20the%20pre-defined%20values%20you%20can%20add%20other%20values%20by%20parsing%20the%20JSON%20parameter.%20All%20the%20parameters%20in%20the%20alert%20are%20to%20be%20converted%20into%20string.%20I've%20used%20this%20logic%20in%20my%20case.%20%22Everytime%20an%20alert%20is%20triggered%2C%20using%20data%20operations%20connectors%20click%20on%20parse%20json%2C%20take%20the%20predefined%20value%20available%20in%20the%20alert%20For%20eg%3A%20%22Extended%20properties%22%20or%20%22Entities%22%20and%20click%20on%20sample%20payload%20to%20generate%20sample%20schema.%20From%20the%20logs%20copy%20the%20exact%20parameter%20and%20paste%20it%20in%20the%20sample%20schema%2C%20it%20will%20automatically%20generate%20a%20new%20schema%20for%20you.%20You%20can%20then%20make%20use%20of%20these%20values%20as%20per%20your%20requirement%20to%20either%20send%20an%20email%20or%20create%20a%20ticket%20in%20SNOW.%3C%2FP%3E%3CP%3EHope%20this%20helps!!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I have a logic app setup to be used for email alerting with one of my scheduled queries. I am able to pull out the entity data such as Account, Host, IP, etc., but is there a way to pull out other sets of data as well? 

 

For example, my email alert will provide be with the mapped entities mentioned above, but I have additional fields that display data that I need in my email alert as well, is it possible to extract this in the Sentinel connector?

 

Thanks,

Sean

5 Replies

@SH30 What you see in the list of dynamic content is everything that the Azure Sentinel connector will return. If you have additional fields you would like to be available I would suggest creating a new entry in the Azure Sentinel feedback page at: https://feedback.azure.com/forums/920458-azure-sentinel

 

With that being said, you can may REST calls inside of Playbooks where you can get more information from the unsupported (so far) Azure Sentinel REST API located at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

 

Wortell has created some great PowerShell commands using this API that you could use as a basis for your calls.  They are located at https://github.com/wortell/AZSentinel

 

Hope this helps

@SH30 I did something similar with one of my logic apps. I had to create custom expressions using "triggerbody()?" in order to extract some of the other fields. 

 

This link may be helpful: https://docs.microsoft.com/en-us/azure/logic-apps/workflow-definition-language-functions-reference

 

@leoszalkowski @Gary Bushey  Appreciate the responses, will look into both. Thanks!

Hi Sean,

Have you managed to resolve this, and if so, do you mind sharing your steps?

@SH30 Hi Sean, apart from the pre-defined values you can add other values by parsing the JSON parameter. All the parameters in the alert are to be converted into string. I've used this logic in my case. "Everytime an alert is triggered, using data operations connectors click on parse json, take the predefined value available in the alert For eg: "Extended properties" or "Entities" and click on sample payload to generate sample schema. From the logs copy the exact parameter and paste it in the sample schema, it will automatically generate a new schema for you. You can then make use of these values as per your requirement to either send an email or create a ticket in SNOW.

Hope this helps!!