Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Unable to utilize logics apps to feed data in a watchlist

Copper Contributor

Hey,

I am unable to add an item in my choice of watchlists using entities like an account, computer, hostname, or IP address, the step where the watchlist condition will take an input is being skipped by the logic app, can anyone help regarding this.

TIALogicAppRunTimeDetails.PNGWatchListActionLogicApp.PNGWatchlistLogicApp.PNG

14 Replies

@abubakr786 Would need to see a picture of the For each loop expanded to get a better idea of what is happening.  It basically looks like there are no accounts to process.   Have you validated that you have accounts being returned from the previous step?

Hey @Gary Bushey 

I've attached the details for each loop picture, along with the input-output run details for Get_Account and For each loop for Get_Account. There is an input and output link for Get_Account, Also an input link for for_each loop for Account but it has no output link.

I guess that would be the issue where I need help, pictures attacher for reference.Expanded.PNGInputLinkForEachAccount.PNGOutputLinkGetAccount.PNG

@abubakr786 The images do not state if there actually any account entities found.

 

If you do not already know, you can go to the last run, go toe the "Entities - Get Accounts" and click on it. In the new pane on the right side it will show the outputs and the Body field will tell you if it found anything.

@Gary Bushey  No value inside the accounts output in the body, if this is what you are reffering to.

abubakr786_0-1631794827656.png

 

@abubakr786 That is exactly what I was referring to.   So your For loop isn't being executed because there is nothing for it to execute on.  At least in this case, the incident or alert has no account entities so the loop doesn't run.

I understand, so can you suggest the change? As I have tested the same for account, ipaddress, hostname, didnt returned results in any of them.

@abubakr786 The first thing would be to check that your alert/incident (depending on what trigger you are using) actually has any entities.

 

@Gary Bushey Does logic map output in any form returns the values of entities fetched? As I dont see any entity field or value in code format of the alert trigger

@abubakr786 No, you must load them like you were doing in your Logic App.

@abubakr786 @Gary Bushey correct me if I'm wrong, but i believe you will never get any entities/other useful information in your logic app/watchlist unless you run the logic app on an actual alert. Just pressing "run trigger" will end up returning blanks regardless since there is no information in the initial trigger "When a response to an Azure Sentinel alert is triggered" 

@Gary Bushey What I meant to ask was that at any part in the logic app does the input/output in raw contains the fetched value of an entity which is the exact value of the entity that is added to the watchlist.

Please also share if the query being used to trigger certain alert/incident requires projection or retrieval of entities those are added in watchlists, however the values required by Get action are part of the payload of the event.

@abubakr786 Not quite sure what you are asking.  When you use the Logic app action to load an entity then you can access the raw (JSON) data that has been returned.

 

Not sure what you mean by "...the exact value of the entity that is added to the watchlist" as a watchlist can contain a lot of different types of data.   It all depends on how you have setup the watchlist.

@Gary Bushey This is what I asked, When you use the Logic app action to load an entity then you can access the raw (JSON) data that has been returned since no value returned, I couldn't find the what is actually not returning the data.

Is there any blog or documentation available of the implementation that you can share? All I need is to add an item in the custom watchlist doesnt matter what the trigger is.