not able to send an email to the affected user linked to an incident generated by sentinel

Question

not able to send an email to the affected user linked to an incident generated by sentinel

Louis Siepen 20

I trued to apply a couple tutorials and suggestion but my playbook always fails.

I mapped as entities : Account, Mailbox (with UPN as identifier).

Sentinel successfully generates the incident using the KQL code so I use Get incident (get account in previous tests), search for users V2 and Send an email (V2) but I am always getting bad request because when Sentinel, generates the UPN or account Name, it normalizes it and gets an inaccurate UPN or no UPN at all :

  },
    "body": {
        "To": null,
        "Subject": "test",
        "Body": "<p class=\"editor-paragraph\">test</p>",
        "Importance": "Normal"
    }

I even tried to extend my KQL code win order to genearte the UPN directly from there, but I am still not able to get the UPN sent to the action get incident in the playbook :

 extend UPN = strcat(InitiatingProcessAccountName, "@mydomain.com")
| extend CustomDetails = bag_pack("UPN", UPN)

C User's image

Could you please provide assistance

Thanks in advance

Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-30T14:37:23.71+00:00

Hello @Louis Siepen,

Following up to check if you have any questions or query, kindly do let us know.
Louis Siepen 20 Reputation points

2025-05-30T14:45:45.0733333+00:00

hello @Jyotishree Moharana
ok, I will try to implement the parse solution, thank you for your help !Have a nice day
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-06-03T05:57:56.24+00:00

Hello @Louis Siepen,

Following up to check if you had a chance to try the suggested steps and if you have any query.
Louis Siepen 20 Reputation points

2025-06-03T15:34:41.83+00:00

hello @Jyotishree Moharana I will try now and let you know before the end of today

thanks

Louis Siepen 20

hello @Jyotishree Moharana, I am using the following KQL to get the UPN with the incident(ransomware detection) :

let KnownRansomwareExtensions = dynamic([
    ".locky", ".ryuk", ".conti", ".revil", ".megacortex", ".darkside", ".clop", ".blackcat", ".egregor", ".avaddon"
]);
DeviceFileEvents
| where ActionType == "FileRenamed"
| extend NewExtension = extract(@'\.([a-zA-Z0-9]+)$', 1, FileName)
| where NewExtension != "" 
| extend NewExtension = strcat(".", tolower(NewExtension))
| where NewExtension in (KnownRansomwareExtensions)
| extend UPN = strcat(InitiatingProcessAccountName, "@mydomain.com")
| extend customDetails = bag_pack("UPN", UPN)
| project
    TimeGenerated,
    DeviceName,
    InitiatingProcessAccountName,
    FileName,
    PreviousFileName,
    NewExtension,
    FolderPath,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    customDetails
| sort by TimeGenerated desc

the incident JSON is :

{
    "statusCode": 200,
    "headers": {
        "Cache-Control": "no-store, no-cache",
        "Pragma": "no-cache",
        "Transfer-Encoding": "chunked",
        "Vary": "Accept-Encoding",
        "Set-Cookie": "ARRAffinity=404c30ae164cea1996847a74bb6b599076bae071bff69e3a69c7f1aed31d448b;Path=/;HttpOnly;Secure;Domain=azuresentinel-ce.azconn-ce-001.p.azurewebsites.net,ARRAffinitySameSite=404c30ae164cea1996847a74bb6b599076bae071bff69e3a69c7f1aed31d448b;Path=/;HttpOnly;SameSite=None;Secure;Domain=azuresentinel-ce.azconn-ce-001.p.azurewebsites.net",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
        "x-ms-request-id": "XXXXXXXXX",
        "X-Content-Type-Options": "nosniff",
        "X-Frame-Options": "DENY",
        "x-ms-dlp-re": "-|-",
        "x-ms-dlp-gu": "-|-",
        "x-ms-dlp-ef": "-|-/-|-|-",
        "Timing-Allow-Origin": "*",
        "x-ms-apihub-cached-response": "false",
        "x-ms-apihub-obo": "false",
        "Date": "Tue, 27 May 2025 18:25:04 GMT",
        "Content-Type": "application/json; charset=utf-8",
        "Expires": "-1",
        "Content-Length": "1954"
    },
    "body": {
        "id": "my sub info here",
        "name": "XXXXXXX",
        "etag": "\"XXXXXXXXX\"",
        "type": "Microsoft.SecurityInsights/Incidents",
        "properties": {
            "title": "Ransomware extension found",
            "severity": "High",
            "status": "Active",
            "owner": {
                "objectId": "XXXXXXX",
                "email": null,
                "assignedTo": "Our SOC team,
                "userPrincipalName": null
            },
            "labels": [],
            "firstActivityTimeUtc": "2025-05-27T18:09:47.339757Z",
            "lastActivityTimeUtc": "2025-05-27T18:09:47.4110304Z",
            "lastModifiedTimeUtc": "2025-05-27T18:24:19.1407384Z",
            "createdTimeUtc": "2025-05-27T18:16:50.78Z",
            "incidentNumber": IN MUMBER,
            "additionalData": {
                "alertsCount": 1,
                "bookmarksCount": 0,
                "commentsCount": 0,
                "alertProductNames": [
                    "Azure Sentinel"
                ],
                "providerIncidentUrl": "https://security.microsoft.com/incidentxxxxxxxx",
                "mergedIncidentNumber": null,
                "mergedIncidentUrl": null,
                "tactics": [
                    "Impact"
                ],
                "techniques": [
                    "T1486"
                ]
            },
            "firstActivityTimeGenerated": "2025-05-27T18:09:47.339757Z",
            "lastActivityTimeGenerated": "2025-05-27T18:24:19.1407384Z",
            "relatedAnalyticRuleIds": [
                "/subscriptions/XXXXXXXX-6946deba4f7d/resourceGroups/xxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/XXXXXXX/providers/Microsoft.SecurityInsights/alertRules/XXXXXXXX"
            ],
            "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/XXXXXXX-XXX/resourceGroups/XXXXX/providers/Microsoft.OperationalInsights/workspaces/XXXX/providers/Microsoft.SecurityInsights/Incidents/XXXXX",
            "providerIncidentId": "XXX",
            "comments": []
        }
    }
}

I am not able to get the UPN from the generated incident. I am then unable to reach the PARSE step. Any guidance on how to get the UPN present in the JSON

Thanks for your help

Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-05T10:51:29.5333333+00:00

Hello Louis Siepen,

The problem is that the incident JSON produced by Sentinel does not automatically contain the customDetails field from your KQL query. This is due to the fact that Sentinel incidents only contain particular fields that are mapped in the alert configuration of the analytic rule. CustomDetails is not included in the incident when it is projected in KQL.

Update the Sentinel analytical rule to specifically map the UPN field as a custom alert property in the alert details of the rule in order to fix the issue. Logic App can analyze and utilize the UPN once it has been mapped and appears in the incident JSON.

Let me know if further queries - feel free to reach out!
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-06T10:45:29.23+00:00

Hello Louis Siepen, Did you a get a chance to review the above comment? In case if you have any resolution, please do share that same with the community as it can be helpful to others Please let us know if any further queries so that we can try to help!
Louis Siepen 20 Reputation points

2025-06-09T22:37:32.0266667+00:00
hello @ Rukmini,

I was able to get a UPN from sentinel from the alert details but sentinel normalizes those data, so the UPN was never correct. When sent to the playbook it would always fail.

However, I noticed that when an incident is generated by default sentinel gets UPN's directly from defender which allows to always have the correct info of the affected users (UPN included).

So this is how I modified my KQL so it gets info directly from defender :

kql :

DeviceFileEvents

| where ActionType == "FileRenamed"

| extend NewExtension = extract(@'.([a-zA-Z0-9]+)$', 1, FileName)

| where NewExtension != ""

| extend NewExtension = strcat(".", tolower(NewExtension))

| where NewExtension in~ (".locky", ".ryuk", ".conti", ".revil", ".megacortex", ".darkside", ".clop", ".blackcat", ".egregor", ".avaddon")

| project

TimeGenerated, DeviceName, FileName, PreviousFileName, NewExtension, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine

| where isnotempty(InitiatingProcessAccountUpn)

Then in my playbook i use a for loop to get info from each alerts(from the incident), I am able now to Parse JSON and the UPN from get alert details and in the "To" field of send an email (v2), i use : first(body('Parse_JSON')?['AffectedUserUPN']).

Incident enhancement :

Playbook:

Unfortunately, after multiple tests that led me to the above method, sentinel is not detecting any of the simulation I am generating at the moment to be able to test the method, I will have to wait a couple of hours to try again on my test machine, and will come back here to let you know
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-10T16:38:16.7+00:00

Hello Louis Siepen,

I just wanted to check in and see if you’ve had a chance to test the method on your test machine after waiting a few hours. Were you able to get the expected results?
Louis Siepen 20 Reputation points

2025-06-11T02:26:26.52+00:00

hello @Mallikarjuna Vardham ,

I was finally able to get the proper UPN from defender transferred to Sentinel, its custom details, as well as mapped entities :

I was then able to do a parse on the custom details , but the playbooks tells me that I am doing something wrong, in fact I am trying to parse the outputs from custom details :

I get : InvalidJSON

The 'content' property of actions of type 'ParseJson' must be valid JSON. The provided value cannot be parsed: 'Unexpected character encountered while parsing value: j. Path '', line 0, position 0.'.

Please advise
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-11T11:39:07.08+00:00

Hello Louis Siepen, We will check internally and get back to you shortly.

2 answers

Your answer

Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-30T14:37:23.71+00:00

Hello @Louis Siepen,

Following up to check if you have any questions or query, kindly do let us know.
Louis Siepen 20 Reputation points

2025-05-30T14:45:45.0733333+00:00

hello @Jyotishree Moharana
ok, I will try to implement the parse solution, thank you for your help !Have a nice day
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-06-03T05:57:56.24+00:00

Hello @Louis Siepen,

Following up to check if you had a chance to try the suggested steps and if you have any query.
Louis Siepen 20 Reputation points

2025-06-03T15:34:41.83+00:00

hello @Jyotishree Moharana I will try now and let you know before the end of today

thanks
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-05T10:51:29.5333333+00:00

Hello Louis Siepen,

The problem is that the incident JSON produced by Sentinel does not automatically contain the customDetails field from your KQL query. This is due to the fact that Sentinel incidents only contain particular fields that are mapped in the alert configuration of the analytic rule. CustomDetails is not included in the incident when it is projected in KQL.

Update the Sentinel analytical rule to specifically map the UPN field as a custom alert property in the alert details of the rule in order to fix the issue. Logic App can analyze and utilize the UPN once it has been mapped and appears in the incident JSON.

Let me know if further queries - feel free to reach out!
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-06T10:45:29.23+00:00

Hello Louis Siepen, Did you a get a chance to review the above comment? In case if you have any resolution, please do share that same with the community as it can be helpful to others Please let us know if any further queries so that we can try to help!
Louis Siepen 20 Reputation points

2025-06-09T22:37:32.0266667+00:00

hello @ Rukmini,

I was able to get a UPN from sentinel from the alert details but sentinel normalizes those data, so the UPN was never correct. When sent to the playbook it would always fail.

However, I noticed that when an incident is generated by default sentinel gets UPN's directly from defender which allows to always have the correct info of the affected users (UPN included).

So this is how I modified my KQL so it gets info directly from defender :

kql :

DeviceFileEvents

| where ActionType == "FileRenamed"

| extend NewExtension = extract(@'.([a-zA-Z0-9]+)$', 1, FileName)

| where NewExtension != ""

| extend NewExtension = strcat(".", tolower(NewExtension))

| where NewExtension in~ (".locky", ".ryuk", ".conti", ".revil", ".megacortex", ".darkside", ".clop", ".blackcat", ".egregor", ".avaddon")

| project

TimeGenerated, DeviceName, FileName, PreviousFileName, NewExtension, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine

| where isnotempty(InitiatingProcessAccountUpn)

Then in my playbook i use a for loop to get info from each alerts(from the incident), I am able now to Parse JSON and the UPN from get alert details and in the "To" field of send an email (v2), i use : first(body('Parse_JSON')?['AffectedUserUPN']).

Incident enhancement :

Playbook:

Unfortunately, after multiple tests that led me to the above method, sentinel is not detecting any of the simulation I am generating at the moment to be able to test the method, I will have to wait a couple of hours to try again on my test machine, and will come back here to let you know
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-10T16:38:16.7+00:00

Hello Louis Siepen,

I just wanted to check in and see if you’ve had a chance to test the method on your test machine after waiting a few hours. Were you able to get the expected results?
Louis Siepen 20 Reputation points

2025-06-11T02:26:26.52+00:00

hello @Mallikarjuna Vardham ,

I was finally able to get the proper UPN from defender transferred to Sentinel, its custom details, as well as mapped entities :

I was then able to do a parse on the custom details , but the playbooks tells me that I am doing something wrong, in fact I am trying to parse the outputs from custom details :

I get : InvalidJSON

The 'content' property of actions of type 'ParseJson' must be valid JSON. The provided value cannot be parsed: 'Unexpected character encountered while parsing value: j. Path '', line 0, position 0.'.

Please advise
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-11T11:39:07.08+00:00

Hello Louis Siepen, We will check internally and get back to you shortly.

Answer 1

Hello @Louis Siepen,

Based on the description you're experiencing an issue where the "Send an email (V2)" action in your Logic App fails because the "To" field receives a null value, resulting in a Bad Request error. This is happening even though you've correctly constructed the UPN in your KQL query using extend UPN = strcat(InitiatingProcessAccountName, "@mydomain.com") and added it to the CustomDetails using bag_pack("UPN", UPN). The root cause is that while CustomDetails is included in the incident metadata, it is not automatically parsed or accessible within the Logic App unless explicitly extracted. Unlike predefined entities such as Account, Mailbox, or IP, custom details are treated as nested objects within the incident's JSON structure and are not exposed as dynamic content by default in Logic Apps.

To make the UPN accessible, you can try adding a Parse JSON action immediately after the Get incident action in your Logic App. In this step, you should target body

('Get_incident')?['properties']?['customDetails']

as the content and provide a schema that defines the UPN as a string. Once parsed, the UPN becomes available as dynamic content or can be accessed using the expression

@body('Parse_JSON')?['UPN']

This enables the To field in the email action to correctly receive the intended email address. Before this, it's important to verify that the UPN field is actually present in the incident JSON under customDetails by inspecting a generated incident in Sentinel. If the UPN is missing, ensure the KQL is part of an active Analytics Rule and is correctly structured.

If you have any questions or query, please let us know.

Answer 2

Louis Siepen 20

I finally got it to work, using the proper dynamic expression that parses the content of Custom Details. I declared an array in the Schema since we might have multiple users affected by an incident. Then in the filed To, I use the content of the array (with first, select the element [0] of the array, the first UPN ) and now its sending emails to affected users using the correct UPN
User's image

User's image

We can close the thread now if you wish, thank you !

Share via

not able to send an email to the affected user linked to an incident generated by sentinel

2 answers

Your answer