Forum Discussion
Enrich table with entities from security incident
Hi, I want to create a extra colum for entity data from the incident, like host, ip and account. But i can't seem to get it working. What do i need to add to this query? SecurityIncident | ...
MartijnZwart example for IP entity, which may give you a clue. As you are doing this for a Workbook, take a look at the "Investigation Insights" built-in template which has this.
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
| where AlertEntities.Type == "ip"
| extend EntityIP = tostring(AlertEntities.Address)
| extend EntityType = tostring(AlertEntities.Type)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName