Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Logic App Email Not Sending

Copper Contributor

I have a Logic App that is supposed to check for Sentinel incidents every 10 minutes and send an email when an incident has been created. This only seems to work about 80% of the time and there is nothing obvious to me why emails aren't sent for all incidents captured by the query. Run history shows a status of "Succeeded" every time. 


Here is the LA;


The Recurrence is 10 minutes.


| where TimeGenerated >= ago(10m)
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| where Severity != "Informational"
| where Severity != "Low"
| where Status != "Closed"
| extend AlertNum = tostring(AlertIds[0])
| extend Generated = format_datetime(datetime_utc_to_local(TimeGenerated, 'US/Eastern'), "MM/dd/yyyy hh:mm tt")
| project Title, AlertNum, IncidentNumber, Generated, Severity, Status, IncidentUrl
| join (SecurityAlert
| project SystemAlertId, Description
on $left.AlertNum == $right.SystemAlertId


If I run the query outside of the Logic App it always returns the incident. 


Within the LA run history the indication is there are no results;


As mentioned, this work about 80% of the time, so the configuration of the Send Email step is properly setup. 

Any suggestions appreciated. 


0 Replies