Customize Alert Rule Email

Question

I have created an alert rule based on a query , i want to send that query output in the alert email , how can i do it ?

Answer 1

@siddharth bansal - Thanks for reaching out to us.

You can use Azure Sentinel or Azure Monitor to send the query output in the alert email.

To do it using Azure Sentinel, please follow the below steps:

1. In the Azure Sentinel portal, go to the Analytics section and select the analytics rule that you want to customize.
2. Provide the necessary details for Alert rule details, Query, Alert Details.
3. In the Add alert detail dialog box, select the Alert property that you want to customize.
4. In the Alert property value field, you can use the @properties token to include the query output in the alert email. For example, if your query output includes a field called IPAddress, you can use the following syntax to include the IP address in the alert email: @properties.IPAddress.
5. Click on the Add button to add the alert detail.
6. When you have finished customizing your alert details, select the Create rule button.

After you have customized the alert details, the query output will be included in the alert email when the alert is triggered.

Hope this helps. and please feel free to reach out if you have any further questions.

---

If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.

Answer 2

On top of what Monalla mentioned, I'd recommend you taking a look at triggers and actions with playbooks:

Use triggers and actions in Microsoft Sentinel playbooks

https://learn.microsoft.com/en-us/azure/sentinel/playbook-triggers-actions

Incident dynamic fields

https://learn.microsoft.com/en-us/azure/sentinel/playbook-triggers-actions#incident-dynamic-fields

Work with incidents - usage examples

https://learn.microsoft.com/en-us/azure/sentinel/playbook-triggers-actions#work-with-incidents---usage-examples

---

If this is helpful please accept answer.