Skip to main content

Azure Sentinel: Adding the query data to an Alert in a Playbook

Azure Sentinel Playbooks (based on Logic Apps) are commonly used to take Alert data and perform a Security Orchestration, Automation and Response (SOAR) capability

For this issue (I was asked about it twice today so decided to post the answer).  You can use the “Run query and visualise results” to take the Query from the Alert (step 1), run it (step 2), and then Email (or whatever you prefer) in step 3.

 

Sentinel Playbook

 

Now for the important part:

You need this string (below) in the Query field as an expression.  This will then reach into the ExtendProperties and extract “Just” the Query (KQL) and then run it.

triggerBody()[‘ExtendedProperties’][‘Query’]

 

Sentinel expression

 

That way, you will get the results of the Query in the Email (or wherever)

 

Thanks