Logic App Email Not Sending
Hello.
I have a Logic App that is supposed to check for Sentinel incidents every 10 minutes and send an email when an incident has been created. This only seems to work about 80% of the time and there is nothing obvious to me why emails aren’t sent for all incidents captured by the query. Run history shows a status of “Succeeded” every time.
Here is the LA;
The Recurrence is 10 minutes.
Query;
SecurityIncident
| where TimeGenerated >= ago(10m)
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| where Severity != “Informational”
| where Severity != “Low”
| where Status != “Closed”
| extend AlertNum = tostring(AlertIds[0])
| extend Generated = format_datetime(datetime_utc_to_local(TimeGenerated, ‘US/Eastern’), “MM/dd/yyyy hh:mm tt”)
| project Title, AlertNum, IncidentNumber, Generated, Severity, Status, IncidentUrl
| join (SecurityAlert
| project SystemAlertId, Description
)
on $left.AlertNum == $right.SystemAlertId
If I run the query outside of the Logic App it always returns the incident.
Within the LA run history the indication is there are no results;
As mentioned, this work about 80% of the time, so the configuration of the Send Email step is properly setup.
Any suggestions appreciated.
Hello.I have a Logic App that is supposed to check for Sentinel incidents every 10 minutes and send an email when an incident has been created. This only seems to work about 80% of the time and there is nothing obvious to me why emails aren’t sent for all incidents captured by the query. Run history shows a status of “Succeeded” every time. Here is the LA;The Recurrence is 10 minutes.Query;SecurityIncident| where TimeGenerated >= ago(10m) | summarize arg_max(TimeGenerated, *) by IncidentNumber| where Severity != “Informational”| where Severity != “Low”| where Status != “Closed”| extend AlertNum = tostring(AlertIds[0])| extend Generated = format_datetime(datetime_utc_to_local(TimeGenerated, ‘US/Eastern’), “MM/dd/yyyy hh:mm tt”) | project Title, AlertNum, IncidentNumber, Generated, Severity, Status, IncidentUrl| join (SecurityAlert| project SystemAlertId, Description)on $left.AlertNum == $right.SystemAlertId If I run the query outside of the Logic App it always returns the incident. Within the LA run history the indication is there are no results;As mentioned, this work about 80% of the time, so the configuration of the Send Email step is properly setup. Any suggestions appreciated. Read More
