Azure Sentinel: Adding the query data to an Alert in a Playbook
Azure Sentinel Playbooks (based on Logic Apps) are commonly used to take Alert data and perform a Security Orchestration, Automation and Response (SOAR) capability
For this issue (I was asked about it twice today so decided to post the answer). You can use the “Run query and visualise results” to take the Query from the Alert (step 1), run it (step 2), and then Email (or whatever you prefer) in step 3.
Now for the important part:
You need this string (below) in the Query field as an expression. This will then reach into the ExtendProperties and extract “Just” the Query (KQL) and then run it.
triggerBody()[‘ExtendedProperties’][‘Query’]
That way, you will get the results of the Query in the Email (or wherever)
Thanks