cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Extract query results from sentinel incident trigger logic app connector

ameri1805
Copper Contributor

‎Jan 02 2023 08:43 AM

‎Jan 02 2023 08:43 AM

Extract query results from sentinel incident trigger logic app connector

Folks,

Does anyone know if it’s possible to do the following:

We have an analytic rule powered by a very simple query (2-line query)

The results would produce results like these (If you were to run the query manually), (I have not pasted the actual data that corresponds to the rows of course)

 

logic app1.JPG

 

is it possible to extract the data from the results above from within the actual sentinel incident connector? 

logic app2.JPG

 

I have tried a few of these below, but no luck.

 

logic app3.JPG

 

NOTE: I know that I may be able to perhaps get the results using the "Azure monitor logs" connector, but I don't want to do that, I want to know if that data exists within the "sentinel incident" connector itself.

 

 

Labels:
1,807 Views
0 Likes
2 Replies
Reply
2 Replies
Clive_Watson

‎Jan 03 2023 01:17 AM

‎Jan 03 2023 01:17 AM

Re: Extract query results from sentinel incident trigger logic app connector

The SecurityAlert Table has the query, so you can always use the Logic Apps to extract and re-run that.
The Incident payload is kept brief, so only brings back minimal data by design, so if you need all the columns, you can re-run the query from the Alert or if its really is 2 lines, then just run it again.

Just be aware that if the original query was scoped to a small duration like 5mins, by the time the Logic Apps runs you may need to change the scope to capture the same time period
0 Likes
Reply
ameri1805

‎Jan 03 2023 08:06 AM - edited ‎Jan 04 2023 12:07 PM

‎Jan 03 2023 08:06 AM - edited ‎Jan 04 2023 12:07 PM

Re: Extract query results from sentinel incident trigger logic app connector

@Clive_Watson thanks for the reply. Yes I figured that if something as straightforward as this didn't get an answer very quickly, there was no way to do it just with the "Microsoft Sentinel Incident" connector.

0 Likes
Reply