Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Create incident using Logic APP

Copper Contributor
We are creating sentinel incident using 'create incident' action of Logic app. It is creating incidents but not capturing event and alert details.
 
Need help to get event and alerts with the incident.
 
Bhavini_0-1689763267967.png

 

1 Reply

@Bhavini 

Your incident will have a property called AlertIds, which should contain at least one value, but could be more if you have some grouping / correllation in place. A caveat here though - it's also possible for an incident to not have any alerts, but this would happen when MS redirects your alerts to another incident - more on this here.

In your LA (with incident trigger) you will have to create a 'Run query and list results' action under 'Azure Monitor Logs' connector - this will have to be done for each individual Alert (Dynamic Content from incident called 'Alert System ID'), but as AlertIds is an array it should automatically put it in a 'For Each' loop for you.

The query to run can be taken from the incident's Dynamic Content value called 'Alert Query'. Within the loop you will have to have an 'Append to array variable' action that will let you gather all the events that match your query logic - depending on your requirements it might need an array variable for each single Alert or combine them all into a single array (similar to a union operator in KQL). Remember to initialize these array vars before the loop.

This should give you events output for each alert within your incident.