Forum Discussion

Copper Contributor

Jul 26, 2023

Solved

Custom Entity Mapping

I written below KQL with help from community but not able to create custom entity in Set Rule Logic. I need to mapping FailedAttempt field but no option in entity field. let threshold=2; let a...

KQL

GBushey
Jul 27, 2023
If you need to have the entity usable in an Automation rule, just select one of the existing entities and assign your field to it, just make sure to select one that the Automation rule could use.

GBushey

Former Employee

Jul 27, 2023

The Automation rule has a condition called "Custom details key". You can create a custom entity that will contain your field and then, in the Automation rule, select "Custom details key" that equals your custom entity name. Then another field called "Custom details value" gets created and you can use that to compare your value.

akshay250692

Copper Contributor

Jul 27, 2023

no option for "when alert is triggered".

GBushey
Former Employee
Jul 27, 2023
Not much can be done about that as the alert trigger has minimal functionality. I would suggest using the incident trigger if at all possible.
- akshay250692
  Copper Contributor
  Jul 27, 2023
  we are creating playbook for reduce incident.
  - GBushey
    Former Employee
    Jul 27, 2023
    I would say you would be better off modifying the KQL of your rule to reduce the number of events being found rather than trying to use Automation rules. Once an alert has been generated, the incident will be created as well, unless the rule has been set to not create incidents automatically.