Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Sentinel Playbook Error

Copper Contributor

Hi, for some time now I've been learning Sentinel and creating playbooks. Could someone explain how to do it in this particular case?

 

 
 
I am not able to proccess forward as I am missing AD info from query? How can I fix it?
is any way to add AD ID or principal name? or modify query?
 
CyberKing_1-1681978139195.png

 

2 Replies
It looks like the "EmailEvents" table contains the Email address of the user (although I am not sure if you can use that to get a user's information or not). You can do a join on the "NetworkMessageId" column
best response confirmed by CyberKing (Copper Contributor)
Solution
Actually, breaking the problem would help here
Have a look at the logic app run history and look at the output parameters for Entities - Get Accounts steps and that should give you the dynamic field for email.
1 best response

Accepted Solutions
best response confirmed by CyberKing (Copper Contributor)
Solution
Actually, breaking the problem would help here
Have a look at the logic app run history and look at the output parameters for Entities - Get Accounts steps and that should give you the dynamic field for email.

View solution in original post