TechQA.

Azure Sentinel: Be notified when a playbook run fails or playbook action is disconnected

125 views Asked by At

Within Azure Sentinel, I have several automation rules set up that respond with various playbooks/logic apps.

I want to be notified or know how to search the logs to find all the

  1. failed runs
  2. failed actions (by playbooks/logicapps) and
  3. when a playbook connection is disconnected (see screenshot below). enter image description here

The closest I've gotten to this is via azurediagnostics logs but Im noticing this only captures less than 1% of the logic apps in my environment.

AzureDiagnostics 
    | where OperationName contains "Microsoft.Logic"
    | extend OperationType = tostring(split(OperationName,'/')[2])
    | extend LogicApp = tostring(split(ResourceId,'/')[8])
    | extend IncidentNumber = toint(extract(@"[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\_(\d+)", 1, correlation_clientTrackingId_s))
    | summarize Resource = strcat_array(make_set(Resource),', '),
     status_s = strcat_array(make_set(status_s),', ')  by LogicApp, IncidentNumber, OperationType, Level
azure azure-automation azure-diagnostics azure-sentinel
Original Q&A
2

There are 2 answers

0
HarriS On BEST ANSWER

You can create an alert rule on a logic app: enter image description here

0
HarriS On

This KQL will show All Logic App Failures, however, will not show when a connection fails.

AzureActivity
| where ResourceProviderValue =~ "Microsoft.Logic"
| mv-expand parse_json(Authorization)
| evaluate bag_unpack(Authorization,  OutputColumnPrefix='Authorization_')
| mv-expand parse_json(Properties)
| evaluate bag_unpack(Properties,  OutputColumnPrefix='Properties_')
| extend LogicApp = tostring(iff(split(ResourceId,'/')[8]=="australiaeast",split(ResourceId,'/')[-1],split(ResourceId,'/')[8]))
| summarize Properties_statusMessage=strcat_array(make_set(Properties_statusMessage),', '),
Properties_message=strcat_array(make_set(Properties_message),', '),
Properties_isComplianceCheck=strcat_array(make_set(Properties_isComplianceCheck),', '),
ActivityStatus=strcat_array(make_set(ActivityStatus),', '),
ActivityStatusValue=strcat_array(make_set(ActivityStatusValue),', '),
CallerIpAddress=strcat_array(make_set(CallerIpAddress),', ')  by EventSubmissionTimestamp,LogicApp, Caller, OperationName, Resource

Related Questions in AZURE

Related Questions in AZURE-AUTOMATION

Related Questions in AZURE-DIAGNOSTICS

Related Questions in AZURE-SENTINEL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions