none
Log Analytics Alerts to LogicApps RRS feed

  • Question

  • Hi!

    I am using Log Analytics and i have some logs here. For example, in one my workspace i have SecurityEvents log,

    when i make KQL request i have some data as result:

    [image not permitted =\]

    Thats okay.

    After that, i want to generate an alert for some request. I am going to Monitoring->Alerts->New Alert Rule.

    I am adding some interesting request (KQL). The next step is Action - what i wanna do with that alert, for example i can create Action Group _mail_or_sms_ and send alert information by that way.

    But what if i want to use Logic App as trigger? I have some blank logic app for this available:

    [image not permitted =\]

    i can choose it, and its okay.

    My question (finally) is - how can i receive alert data in TestLogicApp? According to Apps Designer, i have to use some kind of connector\trigger:

    [image not permitted =\]

    Unfortunately, i have no idea, what trigger shall i use to connect my LogAnalytics alert with Logic App?

    I have tried some of these, but i am still stuck.

     

    Thanks for your help!

    Sorry for my english, i am not native speaker.

     

    Monday, November 18, 2019 6:11 AM

Answers

  • Hi, Thanks for your answer. I will try and write about results.

    -----

    UPD.

    Okay, i have done according the instruction.

    I want to use as Action "Send Email", Azure suggest for it use Office 365 Outlook, i auth in it i receive error - REST API is not supported for local servers.

    Is there a way to send email as i did it in simple alerts? It was sent from @microsoft.com account to my mail. Can i do the same in logic app?

    Thank you!

    ______________

    UPD_FINAL

    Well, i have finally solved my problems. I used SMTP module for email.

    For primary problem - i used "When HTTP request received" as trigger - LogAnalytics send json with all data in http.

    After receiving i used "Parse JSON" after that i can use fields from JSON, parse all interesting information. But I strongly not recommend use that way for parsing-composing-emailing.

    I suggest send alerts form LogAnalytics to own webhook and use well-known program language to manage data, not this horrible logicApps with graphic, wrong-working dynamic suggestions and etc.

    • Edited by Pavel_trlll Thursday, November 21, 2019 8:29 AM
    • Marked as answer by Pavel_trlll Thursday, November 21, 2019 8:29 AM
    Monday, November 18, 2019 8:00 AM

All replies

  • Hi

    Integration with Azure Alerts and Logic App is documented here:

    https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-common-schema-integrations

    The example is for common alert schema which is the recommended to use. Basically the logic app should have HTTP receiver as the action group sends http request to the logic app.

    Monday, November 18, 2019 7:12 AM
  • Hi, Thanks for your answer. I will try and write about results.

    -----

    UPD.

    Okay, i have done according the instruction.

    I want to use as Action "Send Email", Azure suggest for it use Office 365 Outlook, i auth in it i receive error - REST API is not supported for local servers.

    Is there a way to send email as i did it in simple alerts? It was sent from @microsoft.com account to my mail. Can i do the same in logic app?

    Thank you!

    ______________

    UPD_FINAL

    Well, i have finally solved my problems. I used SMTP module for email.

    For primary problem - i used "When HTTP request received" as trigger - LogAnalytics send json with all data in http.

    After receiving i used "Parse JSON" after that i can use fields from JSON, parse all interesting information. But I strongly not recommend use that way for parsing-composing-emailing.

    I suggest send alerts form LogAnalytics to own webhook and use well-known program language to manage data, not this horrible logicApps with graphic, wrong-working dynamic suggestions and etc.

    • Edited by Pavel_trlll Thursday, November 21, 2019 8:29 AM
    • Marked as answer by Pavel_trlll Thursday, November 21, 2019 8:29 AM
    Monday, November 18, 2019 8:00 AM