I have seen a few people ask how to get the Incident URL to show up in an email when calling a playbook. I was able to get this working by manually constructing the URL. I would consider this more of a workaround, the URL format could change at any time on Microsoft's end.
Essentially, what we are doing is adding the Incident ID onto the base URL: https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/
- Within the Logic App, you will need to get the Incident Details
- The Incident Details will need to be parsed by the JSON parser, the schema is at the bottom of this post
- Then Initialize a variable using the Base URL Value: https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/ and adding the Id parameter from the Parse JSON action
- Then you can insert that variable into your email body
Within your logicapp it will look similar to this:
JSON Schema:
{
"properties": {
"etag": {
"type": "string"
},
"id": {
"type": "string"
},
"kind": {},
"name": {
"type": "string"
},
"properties": {
"properties": {
"AssignedTo": {},
"CaseNumber": {
"type": "integer"
},
"CloseReason": {},
"ClosedReasonText": {},
"CreatedTimeUtc": {
"type": "string"
},
"Description": {
"type": "string"
},
"EndTimeUtc": {
"type": "string"
},
"FirstAlertTimeGenerated": {
"type": "string"
},
"Labels": {
"type": "array"
},
"LastAlertTimeGenerated": {
"type": "string"
},
"LastUpdatedTimeUtc": {
"type": "string"
},
"Metrics": {
"properties": {
"SecurityAlert": {
"type": "integer"
}
},
"type": "object"
},
"RelatedAlertIds": {
"items": {
"type": "string"
},
"type": "array"
},
"Severity": {
"type": "string"
},
"StartTimeUtc": {
"type": "string"
},
"Status": {
"type": "string"
},
"Title": {
"type": "string"
}
},
"type": "object"
},
"tags": {},
"type": {
"type": "string"
}
},
"type": "object"
}
