Aug 09 2021 04:56 AM
Hello,
I have a created a custom alert to notify when there is a user added or deleted to Active Directories. This query list down the few values which I would like to use them in Logic APP to trigger an email with the details to Admin. Could you please advise how the Logic App can access the output values of the Alert or is there any other way that I can execute this.
Thanks
Raju
Aug 09 2021 08:55 AM
@Singanna When you create your Logic App, use either the Azure Sentinel Alert or the Azure Sentinel Incident triggers. Either one of these will populate a series of values that you can then use in the rest of your Logic App and will allow you to use the Logic App (called a Playbook inside of Azure Sentinel) with Azure Sentinel.
If you use the Azure Sentinel Alert trigger you would then need to modify your Analytic rule and add the new Playbook to it but you could also trigger the Playbook manually.
If you use the Incident trigger, you can create an Automation rule so that multiple Analytic rules can use it but you cannot trigger the Playbook manually.
Aug 09 2021 04:31 PM
Aug 10 2021 04:39 AM
Aug 10 2021 04:51 AM
Aug 10 2021 05:14 AM
Aug 10 2021 05:18 AM
Aug 10 2021 07:13 AM
Sep 05 2022 03:47 AM
Sep 05 2022 06:00 AM - edited Sep 05 2022 06:02 AM
Actually, the query used to trigger the alert is also included within the extended properties of the alert trigger, so retrieving the same data again to add to an email is not impossible.
https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/04/27/azure-sentinel-adding...
It appears to not be supported officially due to some unreliable factors, so responsibility falls on the user I guess but I have used it successfully in the past. I really wish they could support this usage officially.
https://docs.microsoft.com/en-us/connectors/azuresentinel/#restoring-alerts-original-query-is-curren...