Question 281175 in Azure Question posted in
The official documentation to get you started can be found here.

Azure Sentinel: Be notified when a playbook run fails or playbook action is disconnected

Within Azure Sentinel, I have several automation rules set up that respond with various playbooks/logic apps.

I want to be notified or know how to search the logs to find all the

  1. failed runs
  2. failed actions (by playbooks/logicapps) and
  3. when a playbook connection is disconnected (see screenshot below).
    enter image description here

The closest I’ve gotten to this is via azurediagnostics logs but Im noticing this only captures less than 1% of the logic apps in my environment.

AzureDiagnostics 
    | where OperationName contains "Microsoft.Logic"
    | extend OperationType = tostring(split(OperationName,'/')[2])
    | extend LogicApp = tostring(split(ResourceId,'/')[8])
    | extend IncidentNumber = toint(extract(@"[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}_(d+)", 1, correlation_clientTrackingId_s))
    | summarize Resource = strcat_array(make_set(Resource),', '),
     status_s = strcat_array(make_set(status_s),', ')  by LogicApp, IncidentNumber, OperationType, Level
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    This KQL will show All Logic App Failures, however, will not show when a connection fails.

    AzureActivity
| where ResourceProviderValue =~ "Microsoft.Logic"
| mv-expand parse_json(Authorization)
| evaluate bag_unpack(Authorization,  OutputColumnPrefix='Authorization_')
| mv-expand parse_json(Properties)
| evaluate bag_unpack(Properties,  OutputColumnPrefix='Properties_')
| extend LogicApp = tostring(iff(split(ResourceId,'/')[8]=="australiaeast",split(ResourceId,'/')[-1],split(ResourceId,'/')[8]))
| summarize Properties_statusMessage=strcat_array(make_set(Properties_statusMessage),', '),
Properties_message=strcat_array(make_set(Properties_message),', '),
Properties_isComplianceCheck=strcat_array(make_set(Properties_isComplianceCheck),', '),
ActivityStatus=strcat_array(make_set(ActivityStatus),', '),
ActivityStatusValue=strcat_array(make_set(ActivityStatusValue),', '),
CallerIpAddress=strcat_array(make_set(CallerIpAddress),', ')  by EventSubmissionTimestamp,LogicApp, Caller, OperationName, Resource

  2. 0

    You can create an alert rule on a logic app:
    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search