Forum Discussion

JMSHW0420's avatar
JMSHW0420
Iron Contributor
Mar 24, 2023
Solved

RE: How you extract 'Incident ARM ID' from a KQL query to be used in a Logic App

Hello,   Can the Security Incident ID be extracted from the SecurityIncident table and used as a property or Entity value in a workflow action of a Logic App, such as 'Update Incident'? See the bel...
KQL
playbooks
  • Rod_Trent's avatar
    Rod_Trent
    Mar 24, 2023

    JMSHW0420 It comes from the system assigned Incident ID, the same ID that's included on the URL for the Incident in the browser. In the SecurityIncident table it's in the IncidentName data column.

     

JMSHW0420's avatar
JMSHW0420
Iron Contributor
Mar 26, 2023
Thanks for replying, Rod_Trent. Much appreciated.

So, I am running part of the following query in an analytics rule. So passing the IncidentName will basically 'map' to the value of 'Incident ARM ID' in the action of 'Update Incident' in a Logic App?

//Test on Security Incident Properties related to a Security Alert
SecurityAlert
| where TimeGenerated between (ago(7d) ..now())
| where AlertName == "Non-Compliant Device Detected"
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| mv-expand Entities
| extend id_ = tostring(Entities.["$id"]),
DeviceName = tostring(Entities.HostName)
| summarize arg_max(TimeGenerated,*) by SystemAlertId
| join (
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
) on $left.SystemAlertId == $right.AlertIds
| project IncidentName, IncidentNumber, AlertName

IF the above query returns multiple rows of data (E.G. 6 related Incidents), can I assume the Logic App can parse the data using the 'Parse JSON' and perform some form of For...Loop?

Essentially, I want to 'Update' each Incident and change the Severity level...

Resources