Hello.
I have a Logic App that is supposed to check for Sentinel incidents every 10 minutes and send an email when an incident has been created. This only seems to work about 80% of the time and there is nothing obvious to me why emails aren't sent for all incidents captured by the query. Run history shows a status of "Succeeded" every time. 

Here is the LA;

The Recurrence is 10 minutes.

Query;

SecurityIncident
| where TimeGenerated >= ago(10m)
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| where Severity != "Informational"
| where Severity != "Low"
| where Status != "Closed"
| extend AlertNum = tostring(AlertIds[0])
| extend Generated = format_datetime(datetime_utc_to_local(TimeGenerated, 'US/Eastern'), "MM/dd/yyyy hh:mm tt")
| project Title, AlertNum, IncidentNumber, Generated, Severity, Status, IncidentUrl
| join (SecurityAlert
| project SystemAlertId, Description
)
on $left.AlertNum == $right.SystemAlertId

If I run the query outside of the Logic App it always returns the incident. 

Within the LA run history the indication is there are no results;

As mentioned, this work about 80% of the time, so the configuration of the Send Email step is properly setup. 

Any suggestions appreciated.