How to correlate Security Alert Entities further with a WorkList

Question

Hi all,&nbsp;Newbie to Sentinel.&nbsp;In old school SIEM, one can easily correlate specific correlated Security Alert entities with a watchlist via data schema mapping.&nbsp;However for Sentinel, i notice that the Entities in Security Alert comes in multiple nested format, where i cannot do a simple 1 to 1 map to watch list to further correlate.&nbsp;I have a request to further correlate any&nbsp;SecurityAlert| where DisplayName == "Create incidents based on ADB2C Identity Protection Risky Signin"with a watchlist containing high suspicious user, Name + UPN&nbsp;The Entities of the event comes in these format:Entities[{"$id":"3","Url":"[\"unfamiliarFeatures\"]","Type":"url"},{"$id":"4","Address":"1.2.3.4","Type":"ip"},{"$id":"5","Name":"someuser","UPNSuffix":"gmail.com","IsDomainJoined":true,"Type":"account"}]&nbsp;TLDR:How to create an analytic rules to alert any SecurityAlert&nbsp;"Create incidents based on ADB2C Identity Protection Risky Signin" with a WatchList?

m_zorich · Accepted Answer

Hi there, the best way to extract the individual entities from alerts within the SecurityAlerts table is using the mv-expand operator. There are some examples here - https://github.com/reprise99/Sentinel-Queries/tree/main/Security%20Alert &nbsp;In your example there if you wanted to retrieve the IP address, you could do&nbsp;| extend x = todynamic(Entities)
| mv-expand x
| parse-where x with * '$id":"4","' IPAddress '","Type' *That would create you a new column called IPAddress with everything between&nbsp;$id":"4"," and&nbsp;","Type&nbsp;You can then map them to other tables or watchlists etc like normal&nbsp;

Forum Discussion

How to correlate Security Alert Entities further with a WorkList

Share

Resources