Send email using playbook to office 365 user by retrieving user email address

%3CLINGO-SUB%20id%3D%22lingo-sub-3261412%22%20slang%3D%22en-US%22%3ESend%20email%20using%20playbook%20to%20office%20365%20user%20by%20retrieving%20user%20email%20address%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3261412%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Folks%2C%3C%2FP%3E%3CP%3EI%20could%20get%20the%20playbook%20sending%20email%20to%20specific%20mailbox%2CBut%20not%20to%20o365%20user%20based%20on%20entity%20info%20with%20in%20Sentinel.%20I%20am%20thinking%20this%20email%20address%20needs%20to%20read%20from%20Azure%20AD.%20But%20how%20we%20put%20that%20as%20a%20logicapp%20is%20something%20missing.%20Any%20inputs%20are%20much%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ESenti%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3261412%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAutomation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPlaybooks%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3262396%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20email%20using%20playbook%20to%20office%20365%20user%20by%20retrieving%20user%20email%20address%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3262396%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1337426%22%20target%3D%22_blank%22%3E%40Senti1905%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20native%20Azure%20AD%20connector%20in%20Logic%20Apps%2C%20so%20if%20you%20map%20the%20AAD%20User%20Object%20Id%20in%20your%20entity%20mapping%20you%20can%20then%20use%20that%20to%20get%20the%20user%20information%20such%20as%20email%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20retrieve%20the%20entities%20from%20the%20incident%2C%20then%20use%20the%20connector%20to%20grab%20the%20user%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20little%20mock%20up%20for%20you.%20You%20can%20even%20grab%20their%20display%20name%20and%20pass%20that%20into%20the%20email%20too%20if%20you%20wanted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22logic%20app.png%22%20style%3D%22width%3A%20615px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357240i05E2C18363615FEC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22logic%20app.png%22%20alt%3D%22logic%20app.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi Folks,

I could get the playbook sending email to specific mailbox,But not to o365 user based on entity info with in Sentinel. I am thinking this email address needs to read from Azure AD. But how we put that as a logicapp is something missing. Any inputs are much appreciated.

 

Thanks

Senti

1 Reply

@Senti1905 

 

There is a native Azure AD connector in Logic Apps, so if you map the AAD User Object Id in your entity mapping you can then use that to get the user information such as email address.

 

First retrieve the entities from the incident, then use the connector to grab the user information.

 

Here is a little mock up for you. You can even grab their display name and pass that into the email too if you wanted.

 

logic app.png