Logic app - Escaped Characters and Formatting Problems in KQL Run query and list results V2 action
I’m building a Logic App to detect sign-ins from suspicious IP addresses. The logic includes: Retrieving IPs from incident entities in Microsoft Sentinel. Enriching each IP using an external API. Filtering malicious IPs based on their score and risk level. Storing those IPs in an array variable (MaliciousIPs). Creating a dynamic KQL query to check if any of the malicious IPs were used in sign-ins, using the in~ operator. Problem: When I use a Select and Join action to build the list of IPs (e.g., "ip1", "ip2"), the Logic App automatically escapes the quotes. As a result, the KQL query is built like this: IPAddress in~ ([{"body":"{\"\":\"\\\"X.X.X.X\\\"\"}"}]) Instead of the expected format: IPAddress in~ ("X.X.X.X", "another.ip") This causes a parsing error when the Run Query and List Results V2 action is executed against Log Analytics. ------------------------ Here's the For Each action loop who contain the following issue: Dynamic compose to formulate the KQL query in a concat, since it's containing the dynamic value above : concat('SigninLogs | where TimeGenerated > ago(3d) | where UserPrincipalName == \"',variables('CurrentUPN'),'\" | where IPAddress in~ (',outputs('Join_MaliciousIPs_KQL'),') | project TimeGenerated, IPAddress, DeviceDetail, AppDisplayName, Status') The Current UPN is working as expected, using the same format in a Initialize/Set variable above (Array/String(for IP's)). The rest of the loop : Note: Even if i have a "failed to retrieve" error on the picture don't bother with that, it's just about the dynamic value about the Subscription, I've entered it manually, it's working fine. What I’ve tried: Using concat('\"', item()?['ip'], '\"') inside Select (causes extra escaping). Removing quotes and relying on Logic App formatting (resulted in object wrapping). Flattening the array using a secondary Select to extract only values. Using Compose to debug outputs. Despite these attempts, the query string is always malformed due to extra escaping or nested JSON structure. I would like to know if someone has encountered or have the solution to this annoying problem ? Best regards
Extract Email Address from Incident Entity
I'm trying to put together a logic app that will reset a users password and also send them as email notifying them why their password was reset. The logic app triggers off a sentinel incident. The users email address I need to send to is from the Entities properties of the Sentinel incident. How can I extract the users email address? Its in the "MailAddress" property of each Entity. I believe Im going to have to parse it out of the JSON result but need some guidance if that is the case. Appreciate any help.
Sentinel incident playbook - get alert entities
Hi! My main task is to get all alerts (alerts, not incidents) from sentinel (analytics rules and Defender XDR) to external case management. For different reasons we need to do this on alert level. Alert trigger by design works perfectly, but this does not trigger on Defender alerts on Sentinel, only analytic rules. When using Sentinel incident trigger, then i'm not able to extract entities related to alerts, only incident releated entities. Final output is sent with HTTP post to our external system using logic app. Any ideas how to get in logic app all alerts with their entities?Retrieving MailAddress from Entity for Logic App
I'm trying to put together a logic app that will reset a users password and also send them an email notifying them why their password was reset. The logic app triggers off a sentinel incident. The users email address I need to send to is from the Entities properties of the Sentinel incident. How can I extract the users email address? Its in the "MailAddress" property of each Entity. I believe Im going to have to parse it out of the JSON result but need some guidance if that is the case. Appreciate any help.Generic Logic App to ingest IOCs in text format
Hi all, I configured Sentinel to ingest IOC from different Threat Intelligence sources (free) using TAXII connector. I would like to ingest others feeds in text format (like https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt, , https://bazaar.abuse.ch/export/txt/sha1/recent/ ) using a generic Logic App to Security Graph. These IOCs could be IP, Hash, URL or domain. Does this kind of Logic App exists ?? Regards, HA
AMPLS Restrictions Preventing Outbound API Calls in Logic Apps – Any Workarounds?
Hi everyone, I’m encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I don’t have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!AMPLS Restrictions Preventing Outbound API Calls in Logic Apps – Any Workarounds?
Hi everyone, I’m encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I don’t have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!
Questions on Implementing Forced Password Resets Using Sentinel Playbooks
Hello! I am working on automating a forced password reset at the next login using Sentinel playbooks. I have a couple of questions and would love some help with this: How can I set this up so that users are required to reset their passwords upon their next login? I've noticed there isn't much information available online about this process. Are there alternative methods or suggestions for achieving this? Why might this approach not be commonly recommended, and are there any additional insights that could be helpful? Thank you!
