Forum Discussion

MCT

May 17, 2021

Cannot get 'Entities' via a custom analytic rule.

Hello folks, I am trying to write an analytic rule to get all the alerts from 'Microsoft 365 Security' center and generate incidents based on those alerts in Sentinel. All that the rule is lacki...

Yash_Mudaliar

MCT

May 17, 2021

CliveWatson Thanks for the reply, but this does not work. It throws the error:

The name 'entityMappings' does not refer to any known column, table, variable or function.

CliveWatson

Former Employee

May 17, 2021

Sorry that was just an example, you may prefer to use the UI option or you need to replace:

<DeviceName> with a valid column that you have in your system. As you haven't shared any syntax, its hard to guess at what entity you are trying to map. If its an "Account" for example you may need

| extend AccountCustomEntity=< your account name column >

maybe username or AccountCustomEntity = UserPrincipalName

https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/IridiumIOCs.yaml

Yash_Mudaliar
MCT
May 17, 2021
Sorry, I was not able to interpret that.
So what I am doing is I have created a logic app for ingesting the Office 365 alerts via Graph Security API and then I am storing the results in a custom table called 'OfficeAlerts_LogicApp_CL'

Then I am trying to call that table using KQL to make incidents from the alerts in that table.
My query is as below :

OfficeAlerts_LogicApp_CL
| where parse_json(comments_s)[0] == "New alert"
| where vendorInformation_provider_s == "Office 365 Security and Compliance"
| where parse_json(userStates_s)[0].domainName == ""

I think maybe the problem is that the output is in pure 'json' and I am not able to parse/structure it so that I can get the entities in the incident.
Can you suggest something that as per this situation please?