Forum Discussion

Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Feb 25, 2020

Get full data into Playbook

Hi   We are currently trying to automate some alerts through Playbooks. We created a custom alert that checks for Impossible Travel Alerts from MCAS. This works well. But the issue is that some d...
Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Feb 26, 2020

Pranesh1060 

That's how I do it too ATM.

But this means there is an extra query to log analytics which seems unnecessary to me... Shouldn't this be available by default?

 

GaryBushey  Some data that I see in the SecurityAlerts table isn't able in the Playbook. These are columns like 'Entities' and 'ExtendedProperties' (these are columns that contain extra data from MCAS).

GaryBushey's avatar
GaryBushey
Bronze Contributor
Feb 27, 2020

Thijs Lecomte I believe what @Pranesh1060 meant is that you can take the Extended properties and the Entities fields and use the Logic Apps Parse JSON action to extract the information.   There is no reason to perform another query against Log Analytics.

 

 

  • SocInABox's avatar
    SocInABox
    Iron Contributor
    Jun 06, 2021

    Hi GaryBushey 

    I have 2 questions about creating playbooks for Sentinel.

     

    1. Is there a basic rule for when you need to use the parse json function and when you don't?

    eg. you can NOT:

    "When Azure Sentinel incident creation rule was triggered" > "Send an email (v2)"

    you CAN:

    "When Azure Sentinel incident creation rule was triggered" > "parse json" > "Send an email (v2)"

     

    However you CAN do this w/o the need for parse json:
    "When Azure Sentinel incident creation rule was triggered"  > "Run query and list results"

     

    2. Secondly, when using 'parse json', how do you create the json template? Is it usually just a simple format based on the fields of interest? eg.

        {

            "$id""3",

            "Url""T1039",

            "Type""url"

        }

     

    Thank you.

    • GaryBushey's avatar
      GaryBushey
      Bronze Contributor
      Jun 07, 2021

      SocInABox 1) I don't think there is a set rule, it really depends on what type of information you are trying to obtain

      2)  Usually, I run the playbook without the parse JSON action first, look at the run, copy the data that I need to parse from the output of the action that creates it, and then paste it into the parse JSON action as sample data and let the action handle the parsing. 

      • SocInABox's avatar
        SocInABox
        Iron Contributor
        Jun 07, 2021

        Thanks GaryBushey 

        "look at the run" is what I needed to know, thanks!

         

        What I'm saying about the parse json rule is that some operators don't need it as a predecessor and some do - for example if you want to include fields from your alert in the email function you must use parse json first. But maybe the send email is a special exception?

Resources