Using flow Cloud App Security Alert trigger


I have a DLP rule in Offi e 365 that triggers an alert when PCI data is detected.  I want t use Flow to send an email to the person who owns the detected file\s, providing them the file name and location (this info is in the alerts when you view them in Cloud App Security) and asking them to remove the PCI data.


I setup the API token, a Cloud App Security trigger and then attached a basic email action to my and attached that to the alert as a Flow action just so I know when the DLP picks up PCI it runs the configured alert which then runs the configured Flow and I get the test email.  This works perfectly.


Next step then is to customize it to the file owner.  Here is where I'm having problems.  I need to put the file owner email address in the To field and at a minimum the file\s detected in the body.  My problem is I cant find any doco that explains what each of the dynamic content options actually are so I don't know which one give me the person and the file\s info.  I tried to just add all of them and wait for a triggered event but some I believe are arrays so it adds a "For each" action which I don't want.  How can i work out the dynamic content fields I need?

2 Replies
Hi @ifk73

Can you help me with setting up with this API token. As of now, we have our custom DLP rules created in O365. Everytime a violation is triggered an incident is sent to a support email. We want to automate this in such a way that this alert can be sent to SNOW or Sentinel.

@Pranesh1060 suggest you take a look at this link and the demo video on the link.  It pretty much takes you through it although there may be additional setup needed from the service now side.