Forum Discussion

Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Feb 25, 2020

Get full data into Playbook

Hi   We are currently trying to automate some alerts through Playbooks. We created a custom alert that checks for Impossible Travel Alerts from MCAS. This works well. But the issue is that some d...
Pranesh1060's avatar
Pranesh1060
Brass Contributor
Feb 26, 2020

Thijs Lecomte This is something I have done and probably you could do.

 

Entities and Extended properties are JSON parameters. Using the data operations connector parse these parameters. You could get the JSON schema from the entities/extended properties logs. 

Almost all of the times the scheduled query is available in the Extended properties. By parsing you will convert JSON into String and take the Query parameter out. Initialize the variable naming it as XYZ and use Query with a time period(this is must). 

Using Azure Log Analytics run this initialized variable and you should be good to go.. Seems like a lot of pain but works just fine.

Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Feb 26, 2020

Pranesh1060 

That's how I do it too ATM.

But this means there is an extra query to log analytics which seems unnecessary to me... Shouldn't this be available by default?

 

GaryBushey  Some data that I see in the SecurityAlerts table isn't able in the Playbook. These are columns like 'Entities' and 'ExtendedProperties' (these are columns that contain extra data from MCAS).

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Feb 27, 2020

    Thijs Lecomte I believe what @Pranesh1060 meant is that you can take the Extended properties and the Entities fields and use the Logic Apps Parse JSON action to extract the information.   There is no reason to perform another query against Log Analytics.

     

     

    • SocInABox's avatar
      SocInABox
      Iron Contributor
      Jun 06, 2021

      Hi GaryBushey 

      I have 2 questions about creating playbooks for Sentinel.

       

      1. Is there a basic rule for when you need to use the parse json function and when you don't?

      eg. you can NOT:

      "When Azure Sentinel incident creation rule was triggered" > "Send an email (v2)"

      you CAN:

      "When Azure Sentinel incident creation rule was triggered" > "parse json" > "Send an email (v2)"

       

      However you CAN do this w/o the need for parse json:
      "When Azure Sentinel incident creation rule was triggered"  > "Run query and list results"

       

      2. Secondly, when using 'parse json', how do you create the json template? Is it usually just a simple format based on the fields of interest? eg.

          {

              "$id""3",

              "Url""T1039",

              "Type""url"

          }

       

      Thank you.

      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor
        Jun 07, 2021

        SocInABox 1) I don't think there is a set rule, it really depends on what type of information you are trying to obtain

        2)  Usually, I run the playbook without the parse JSON action first, look at the run, copy the data that I need to parse from the output of the action that creates it, and then paste it into the parse JSON action as sample data and let the action handle the parsing. 

Resources