Parsing a Sentinel Alert through Logic App

alexl_2397 · ‎Jun 10 2024

Hi.
I'm struggling with configuring a Logic App to be ran when a Sentinel alert is triggered.
More specifically the details of the Sentinel alert being printed out via the Logic App.

The query the alert runs is:

AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName contains "Add member to group"
| where parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)) contains "Fabric-RG"
| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| project TimeGenerated, OperationName, InitiatingUser, TargetUser, GroupName

This pulls up any changes (member additions) to a group with "Fabric-RG" in its name.
When running this query alone, it returns the info:

Now the info that returns in the Logic App is different, it's currently setup to print out entity friendly names, and I was wondering if anyone could help me configure it so it prints out the initiating user, target user and target group as the per the query does? I am unsure how to select those specific entities created within the query.

Any advice on this would be greatly appreciated.
Thank you.

‎Jun 14 2024

Not so easy to debug from a few screenshots
It may be easier to understand whats going on by casting related Entites to an array then doing filter array where the expression to be filtered is

item()?['kind'] equal to Account

then loop and look at the properties JSON and extract the two entities

Products (49)

Special Topics (28)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Parsing a Sentinel Alert through Logic App