Email data parsing

%3CLINGO-SUB%20id%3D%22lingo-sub-1302617%22%20slang%3D%22en-US%22%3EEmail%20data%20parsing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302617%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20recently%20I%20was%20trying%20to%20get%20data%20of%20my%20azure%20sentinel%20alerts%20on%20my%20email%20using%20playbook%20but%20the%20main%20issue%20is%20how%20to%20get%20the%20desired%20field%20in%20the%20email.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1302617%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eparsing%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1302657%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20data%20parsing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302657%22%20slang%3D%22en-US%22%3EHave%20you%20tried%20using%20the%20'Parse%20JSON'%20in%20Logic%20Apps%20and%20giving%20it%20the%20output%20of%20the%20'A%20new%20Sentinel%20Event%20is%20created'%3F%3CBR%20%2F%3EThis%20will%20enable%20you%20to%20use%20the%20different%20fields%20really%20easy%20in%20next%20steps%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1303351%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20data%20parsing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1303351%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F619393%22%20target%3D%22_blank%22%3E%40Aalekh%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20we%20can%20add%20%3CA%20href%3D%22mailto%3Ajonnords%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%40Jon%20Nordstr%C3%B6m%3C%2FA%3E%20azure%20function%20that%20is%20more%20cost%20effective%20and%20tested%20in%20large%20scale%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252FOfficeDev%252FO365-ActivityFeed-AzureFunction%252Ftree%252Fmaster%252FSentinel%252Fmsgtrace%26amp%3Bdata%3D02%257C01%257Cyanivsh%2540microsoft.com%257Ca1fd2b917abf46d7d8a008d7d5b3bbca%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637212840257602581%26amp%3Bsdata%3DXGLWxJBS6GmH63FFNIXjEqqOYXNrOJvNwCqc%252FhviawU%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FOfficeDev%2FO365-ActivityFeed-AzureFunction%2Ftree%2Fmaster%2FSentinel%2Fmsgtrace%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ehere%20is%20the%20data%20schema%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22schema.GIF%22%20style%3D%22width%3A%20687px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F184038i22B5B882C536E9E4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22schema.GIF%22%20alt%3D%22schema.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorYaniv%20Shasha_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorYaniv%20Shasha_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1304546%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20data%20parsing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304546%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20means%20you%20guys%20recommend%20using%20Functions%20instead%20of%20Logic%20Apps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1304557%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20data%20parsing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304557%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3Bthis%20is%20two%20different%20method%20that%20works%20with%20the%20same%20exchange%20API.%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eif%20dealing%20with%20transferring%20a%20lot%20of%20data%2C%20function%20will%20be%20more%20cost%20effective.%3C%2FP%3E%0A%3CP%3Elogic%20app%20has%20its%20own%20advantages%2C%20like%20debugging.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello, recently I was trying to get data of my azure sentinel alerts on my email using playbook but the main issue is how to get the desired field in the email.

4 Replies
Have you tried using the 'Parse JSON' in Logic Apps and giving it the output of the 'A new Sentinel Event is created'?
This will enable you to use the different fields really easy in next steps

@Aalekh 

 

Also we can add @Jon Nordström azure function that is more cost effective and tested in large scale  

https://github.com/OfficeDev/O365-ActivityFeed-AzureFunction/tree/master/Sentinel/msgtrace

 

here is the data schemaschema.GIF

 

 
 

 

 

@Yaniv Shasha 

Does this means you guys recommend using Functions instead of Logic Apps?

@Thijs Lecomte this is two different method that works with the same exchange API. 

if dealing with transferring a lot of data, function will be more cost effective.

logic app has its own advantages, like debugging.

www.000webhost.com