Unable to post search results in custom JSON payload in Azure Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-1452712%22%20slang%3D%22en-US%22%3EUnable%20to%20post%20search%20results%20in%20custom%20JSON%20payload%20in%20Azure%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1452712%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20task%20is%20to%20post%20the%20query%20results%20on%20Slack%20using%20a%20webhook%20and%20include%20the%20search%20results%20in%20the%20message.%3C%2FP%3E%3CP%3EAs%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-log-webhook%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20documentation%2C%20I%20have%20included%20the%20key%20%3CSTRONG%3EIncludeSearchResults%3C%2FSTRONG%3E%20key%20in%20my%20custom%20JSON%20payload%20and%20set%20it%20to%20%3CSTRONG%3Etrue%3C%2FSTRONG%3E.%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20when%20the%20condition%20is%20met%2C%20all%20the%20other%20properties%20like%20alert%20name%2C%20description%2C%20etc.%20are%20included%20but%20search%20results%20from%20the%20query%20are%20not%20posted%20as%20a%20part%20of%20the%20message.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1452712%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlert%20Policies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAlerting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EJson%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EJSON%20formatting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ejsonparse%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESlack%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1455713%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20post%20search%20results%20in%20custom%20JSON%20payload%20in%20Azure%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1455713%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F693835%22%20target%3D%22_blank%22%3E%40uditk14%3C%2FA%3E%26nbsp%3Bthis%20forum%20is%20for%20Azure%20Sentinel%20and%20I%20can%20help%20you%20if%20you%20would%20like%20to%20use%20Azure%20Sentinel%20alerts%20for%20this%20task.%20If%20you%20are%20not%20an%20Azure%20Sentinel%20user%20and%20would%20like%20to%20discuss%20Azure%20Monitor%2C%20you%20should%20ask%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-monitor%2Fbd-p%2FAzureMonitor%22%20target%3D%22_self%22%3EAzure%20Monitor%20tech%20community%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

The task is to post the query results on Slack using a webhook and include the search results in the message.

As per this documentation, I have included the key IncludeSearchResults key in my custom JSON payload and set it to true

But when the condition is met, all the other properties like alert name, description, etc. are included but search results from the query are not posted as a part of the message.

1 Reply

@uditk14 this forum is for Azure Sentinel and I can help you if you would like to use Azure Sentinel alerts for this task. If you are not an Azure Sentinel user and would like to discuss Azure Monitor, you should ask on the Azure Monitor tech community.