Forum Discussion
Enrich table with entities from security incident
Hi,
I want to create a extra colum for entity data from the incident, like host, ip and account. But i can't seem to get it working. What do i need to add to this query?
SecurityIncident
| where Severity in ({Severity}) or "*" in ({Severity})
| extend Tactics = todynamic(AdditionalData.tactics)
| where Tactics in ({Tactics}) or "*" in ({Tactics})
| extend Owner = todynamic(Owner.assignedTo)
| where Owner in ({Owner}) or "*" in ({Owner})
| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0]))
| where Product in ({Product}) or "*" in ({Product})
| order by LastModifiedTime
| project LastModifiedTime,IncidentNumber, Title, Status, Severity, Tactics, Classification, ClassificationReason,ClassificationComment
| take 250
Thanks in advance
MartijnZwart example for IP entity, which may give you a clue. As you are doing this for a Workbook, take a look at the "Investigation Insights" built-in template which has this.
SecurityIncident | summarize arg_max(TimeGenerated,*) by IncidentNumber | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string) | join ( SecurityAlert | extend AlertEntities = parse_json(Entities) | mv-expand AlertEntities | where isnotempty(AlertEntities) | where AlertEntities.Type == "ip" | extend EntityIP = tostring(AlertEntities.Address) | extend EntityType = tostring(AlertEntities.Type) ) on $left.AlertIds == $right.SystemAlertId | project IncidntName = Title, IncidentNumber=IncidentNumber, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName
