This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 8%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hello,
I am trying to configure sending alert queries to Slack and having some issues with displaying the information proper. I have a scheduled alert from Azure Sentinel, and displays data like so to Slack:
Excessive Windows logon failures (copy)User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.[{"$id":"3","HostName":"xx1010003","Type":"host"},
Is there a way to make a link to the query when posting the message to Slack and sanitize the message sent? My current Logic App flows are:
The other way i have it is eliminating Step 2 completely, and Slack always outputs the message but when I put the dynamic content expressions.. It doesn't seem to capture the alert name at all and just leaves it as [alert name][sourceip] "investigated"
Thoughts?
Could you share a screenshot of your workflow and/or the definition JSON (removing any sensitive information)?
Sorry for the delay.
I have set up the following, but getting this output. I am trying to make the alarm output attractive for analysts to review.
Based on the screenshot you've shared, instead of just using the tokens one after the other, you would have to follow formatting rules for slack messages.
For example, to create a link with text as shown in their docs, you would need to use something like this - <*Incident URL Token*|Incident URL (or any text you need)>
<Incident URL Token|Incident URL (or any text you need)>
In this case, incident URL should populate as any text ?
What about if i want to populate with source/destination IP if this were network traffic? For example, fire wall alarms. Can this be done through incident trigger or via query?
That should be possible as well but would involve parsing the data from the Sentinel Alert to get the required details and then is just a matter of replacing Incident URL (or any text you need) in the above.
I will review and keep you updated.
Still not getting the right output..
"Post_message": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['slack']['connectionId']"
}
},
"method": "post",
"path": "/chat.postMessage",
"queries": {
"channel": "security-alert-testing",
"text": "@{body('Alert_-_Get_incident')?['properties']?['title']}@{body('Alert_-_Get_incident')?['properties']?['createdTimeUtc']}@{body('Alert_-_Get_incident')?['properties']?['incidentUrl']}\n"
}
Based on the slack link im not sure how to edit this proper as im doing dynamic calls for the alert and url to display. The doc provided has it for manual links. Can you point in the direction of how to parse it to display
Alert Name/Type , Source, Destination, URL (shortened version)