Forum Discussion

DGMalcolm's avatar
DGMalcolm
Iron Contributor
Jan 31, 2024

Enrich Sentinel Incident Emails

Hey there, I've posted here on this topic before when I didn't even know where to start - (https://techcommunity.microsoft.com/t5/microsoft-sentinel/include-additional-entities-detail-in-email/m-p/3...
alerts
KQL
playbooks
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Feb 02, 2024

DGMalcolm 

 

 

Did you try passing the entitles through a For Each?  This is a simple example:

 

 

DGMalcolm's avatar
DGMalcolm
Iron Contributor
Feb 07, 2024

Clive_Watson 

This was fantastic! Thank you very much. I made a bunch of progress since you responded. For a lot of the alerts we get this works perfectly but only if the accounts that I'm acquiring have the friendly name by default. With some alerts, like Atypical Travel, the accounts show as an object ID and those don't show if I use "Entities - Get Accounts". And I don't see anything that allows me to extract the account entities if they're object IDs. Thoughts?

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Feb 07, 2024
    Typically you will have two choices.

    1. You need to either enrich the original alert so that its looks up the Account for Object ID or run a totally custom rule to do that
    2. You need to run a query within the playbook to do the same lookup and match as a step before get-entities

    A third choice is to call a custom rule