Sentinel Playbook Error

Occasional Contributor

Hi, for some time now I've been learning Sentinel and creating playbooks. Could someone explain how to do it in this particular case?


I am not able to proccess forward as I am missing AD info from query? How can I fix it?
is any way to add AD ID or principal name? or modify query?


2 Replies
It looks like the "EmailEvents" table contains the Email address of the user (although I am not sure if you can use that to get a user's information or not). You can do a join on the "NetworkMessageId" column
best response confirmed by CyberKing (Occasional Contributor)
Actually, breaking the problem would help here
Have a look at the logic app run history and look at the output parameters for Entities - Get Accounts steps and that should give you the dynamic field for email.