Extract query results from sentinel incident trigger logic app connector

Copper Contributor


Does anyone know if it’s possible to do the following:

We have an analytic rule powered by a very simple query (2-line query)

The results would produce results like these (If you were to run the query manually), (I have not pasted the actual data that corresponds to the rows of course)


logic app1.JPG


is it possible to extract the data from the results above from within the actual sentinel incident connector? 

logic app2.JPG


I have tried a few of these below, but no luck.


logic app3.JPG


NOTE: I know that I may be able to perhaps get the results using the "Azure monitor logs" connector, but I don't want to do that, I want to know if that data exists within the "sentinel incident" connector itself.



2 Replies
The SecurityAlert Table has the query, so you can always use the Logic Apps to extract and re-run that.
The Incident payload is kept brief, so only brings back minimal data by design, so if you need all the columns, you can re-run the query from the Alert or if its really is 2 lines, then just run it again.

Just be aware that if the original query was scoped to a small duration like 5mins, by the time the Logic Apps runs you may need to change the scope to capture the same time period

@Clive_Watson thanks for the reply. Yes I figured that if something as straightforward as this didn't get an answer very quickly, there was no way to do it just with the "Microsoft Sentinel Incident" connector.