Hello,
I am trying to configure sending alert queries to Slack and having some issues with displaying the information proper. I have a scheduled alert from Azure Sentinel, and displays data like so to Slack:
Excessive Windows logon failures (copy)User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.[{"$id":"3","HostName":"xx1010003","Type":"host"},
Is there a way to make a link to the query when posting the message to Slack and sanitize the message sent? My current Logic App flows are:
- When a response to an Azure Sentinel alert is triggered
- Run query and list results
- Post Message (Slack)
The other way i have it is eliminating Step 2 completely, and Slack always outputs the message but when I put the dynamic content expressions.. It doesn't seem to capture the alert name at all and just leaves it as [alert name][sourceip] "investigated"
Thoughts?