Parsing Entities from Azure Sentinel incident into Logic Apps for sending email

%3CLINGO-SUB%20id%3D%22lingo-sub-2614388%22%20slang%3D%22en-US%22%3EParsing%20Entities%20from%20Azure%20Sentinel%20incident%20into%20Logic%20Apps%20for%20sending%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2614388%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20trying%20to%20automate%20first%20level%20response%20for%20our%20Azure%20Sentinel%20Incidents%2C%20These%20Incidents%20have%20Custom%20Entities%20and%20we%20need%20to%20pass%20these%20Entities%20to%20Azure%20logic%20Apps%20so%20that%20this%20Entity%20details%20can%20be%20sent%20over%20an%20email%20to%20the%20End%20user%20using%20Logic%20App%20Connector%20%22Send%20Approval%20Email%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20how%20my%20Logic%20App%20looks%20in%20designer%20mode%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jainshamu_0-1628156469195.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300689i1B20902879BAAF78%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22jainshamu_0-1628156469195.png%22%20alt%3D%22jainshamu_0-1628156469195.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20is%20what%20we%20have%20configured%20in%20Send%20approval%20email%20step%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jainshamu_1-1628156582619.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300690i88F7CAE3DE329841%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22jainshamu_1-1628156582619.png%22%20alt%3D%22jainshamu_1-1628156582619.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENone%20of%20these%20captures%20the%20Custom%20Entities%20that%20we%20have%20defined%20in%20our%20alert%20like%20EventID%20or%20TimeGenerated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%202%20things%20that%20I%20can%20use%20some%20help%20with%3A%3C%2FP%3E%3CP%3E-%20How%20to%20capture%20Custom%20Entities%20%3F%3CBR%20%2F%3E-%20how%20to%20parse%20Entities%20and%20Custom%20Entities%20for%20more%20readable%20format%20for%20end%20users%20who%20will%20receive%20this%20emails%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2617807%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20Entities%20from%20Azure%20Sentinel%20incident%20into%20Logic%20Apps%20for%20sending%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2617807%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1121150%22%20target%3D%22_blank%22%3E%40jainshamu%3C%2FA%3E%26nbsp%3BThe%20entities%20are%20stored%20as%20json%20so%20the%20easiest%20way%20is%20probably%20to%20use%20the%20parse%20json%20and%20create%20html%20table%20functions%20to%20make%20the%20data%20more%20readable.%20Your%20json%20schema%20is%20different%20to%20mine%2C%20so%20the%20first%20time%20just%20run%20a%20compose%20action%20to%20capture%20the%20output%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22compose.PNG%22%20style%3D%22width%3A%20636px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300982i3B5057EFF07B36FF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22compose.PNG%22%20alt%3D%22compose.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20its%20run%20once%2C%20grab%20the%20output%20from%20the%20compose%20action%20(we%20will%20use%20it%20to%20generate%20the%20schema%20for%20the%20parse%20json%20action)%2C%20then%20update%20your%20logic%20app%20to%20the%20below.%20On%20the%20parse%20json%20action%2C%20click%20the%20'use%20sample%20payload%20to%20generate%20schema'%20then%20paste%20in%20the%20output%20from%20your%20first%20run.%20Then%20build%20a%20HTML%20table%20(again%20your%20columns%20are%20going%20to%20be%20different%20to%20mine%20so%20build%20it%20with%20what%20makes%20sense%20for%20your%20entities).%20Then%20add%20the%20output%20of%20your%20create%20html%20table%20action%20to%20your%20email.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22compose2.PNG%22%20style%3D%22width%3A%20639px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300998i47265151D0273D75%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22compose2.PNG%22%20alt%3D%22compose2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20you%20should%20get%20an%20email%20with%20the%20table%20of%20entities.%20Just%20make%20sure%20your%20json%20schema%20is%20perfect%2C%20logic%20apps%20is%20really%20picky%2C%20if%20it%20expecting%20a%20string%20but%20gets%20a%20null%20for%20instance%20it%20will%20fail.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello,

 

We are trying to automate first level response for our Azure Sentinel Incidents, These Incidents have Custom Entities and we need to pass these Entities to Azure logic Apps so that this Entity details can be sent over an email to the End user using Logic App Connector "Send Approval Email".

 

This is how my Logic App looks in designer mode

jainshamu_0-1628156469195.png

 

Below is what we have configured in Send approval email step

 

jainshamu_1-1628156582619.png

 

None of these captures the Custom Entities that we have defined in our alert like EventID or TimeGenerated.

 

So 2 things that I can use some help with:

- How to capture Custom Entities ?
- how to parse Entities and Custom Entities for more readable format for end users who will receive this emails

2 Replies

@jainshamu The entities are stored as json so the easiest way is probably to use the parse json and create html table functions to make the data more readable. Your json schema is different to mine, so the first time just run a compose action to capture the output

 

compose.PNG

 

 

 

 

 

 

 

 

 

Once its run once, grab the output from the compose action (we will use it to generate the schema for the parse json action), then update your logic app to the below. On the parse json action, click the 'use sample payload to generate schema' then paste in the output from your first run. Then build a HTML table (again your columns are going to be different to mine so build it with what makes sense for your entities). Then add the output of your create html table action to your email.

 

compose2.PNG

 

Then you should get an email with the table of entities. Just make sure your json schema is perfect, logic apps is really picky, if it expecting a string but gets a null for instance it will fail.

Thanks @m_zorich, this is really helpful and I could move a step forward. Email reads much better now. HTML table is not at its best now but working to format it with Initialize Variable and Set Variable connector and then passing it to email body.