Forum Discussion
Expanded Entities Combined in one alert/incident
Hi, I am trying to figure out how the default Create incidents based on Microsoft Defender Advanced Threat Protection alerts works with entities expanding them and correlated them in one inciden...
Not to necro an ancient post, but this seems to be the most prominent page talking about this.
Here's the solution I came up with: load the data into a table (or return it from a function). Then join as leftouter on the dataset.
let theAlertName = "Some Alert in SecurityAlert";
let days = 1d;
let Entities_File = SecurityAlert
| where TimeGenerated > ago(days)
| where AlertName has theAlertName
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| mv-apply Entities on (
where Entities.Type == "file" //and isnotempty(Entities.ParentProcess)
| extend File_Directory_ = tostring(Entities.Directory)
| extend File_FileName_ = tostring(Entities.Name)
| extend File_Hash_MD5_ = tostring(Entities.ImageFile.FileHashes[1].Value)
| extend File_Hash_SHA1_ = tostring(Entities.ImageFile.FileHashes[0].Value)
)
| project SystemAlertId, File_Directory_, File_FileName_, File_Hash_MD5_, File_Hash_SHA1_;
SecurityAlert
| where TimeGenerated > ago(days)
| where AlertName == theAlertName and Status == 'New'
| join kind=leftouter Entities_File on SystemAlertId
| order by SystemAlertId desc
You can then do the same with other entity types, for example to get user-related entity information, substitute this instead:
| mv-apply Entities on (
where Entities.Type == "account"
| extend ActorName_ = tostring(Entities.Name)
| extend ActorDnsDomain_ = tostring(Entities.DnsDomain)
| extend ActorSid_ = tostring(Entities.Sid)
)
| project SystemAlertId, ActorName_, ActorDnsDomain_, ActorSid_
When using a method like this, it's a good way to pull out all related entities for creating an incident. If there are more than one users or files or processes, they should get included in the incident graph this way...