Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Custom Alerts output in logic App

Copper Contributor

Hello,

I have a created a custom alert to notify when there is a user added or deleted to Active Directories. This query list down the few values which I would like to use them in Logic APP to trigger an email with the details to Admin. Could you please advise how the Logic App can access the output values of the Alert or is there any other way that I can execute this.

Thanks

Raju

 

9 Replies

@Singanna When you create your Logic App, use either the Azure Sentinel Alert or the Azure Sentinel Incident triggers.   Either one of these will populate a series of values that you can then use in the rest of your Logic App and will allow you to use the Logic App (called a Playbook inside of Azure Sentinel) with Azure Sentinel.

 

If you use the Azure Sentinel Alert trigger you would then need to modify your Analytic rule and add the new Playbook to it but you could also trigger the Playbook manually.

 

If you use the Incident trigger, you can create an Automation rule so that multiple Analytic rules can use it but you cannot trigger the Playbook manually.

Thanks @GaryA for the response. I have created the Logic App using the Sentinel Alert and configured it for the alert. But I need my Alert output in the logic app so that the email will show the details of the user being added/removed from the group. I could not find the Logic App being populating those values to add it to my email. Please advise.
What information is it you are looking for? When you click in the body of the Email, for example, you should be presented with a listing of dynamic content, some of which will come from the Alert trigger.
Hi @GaryA
I have alert output like, the Active Directory name, User who is added/Removed to the AD . I want to add these details to a email body and send to required parties. I want to trigger this email via Logic App. But I am not Sure how the alert trigger data can be accessed via Logic App. Hope I am clear here.
Thanks
Raju
Only those values that have been exposed as Entities will be available to be used. The other values are not accessible.
Yes @GaryA, I have exposed the values under Entities like AD group name, User added and Updated By. Can you please advise how they can be accessed in Logic Apps, an example will help here.
Thanks
Raju
In that case you can use the Azure Sentinel Entities action to get the different type of Entities (Accounts, FileHashes, Hosts, IPs, and URLs) to get the data. The information is stored as a JSON array, since you can have multiple entries in each, so you will need to parse the JSON after to get to the individual entry in each one.
How does this work for custom entities, that are not defined under entity mapping?

Actually, the query used to trigger the alert is also included within the extended properties of the alert trigger, so retrieving the same data again to add to an email is not impossible.
https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/04/27/azure-sentinel-adding...

It appears to not be supported officially due to some unreliable factors, so responsibility falls on the user I guess but I have used it successfully in the past. I really wish they could support this usage officially.
https://docs.microsoft.com/en-us/connectors/azuresentinel/#restoring-alerts-original-query-is-curren...