Forum Discussion
Sentinel incident playbook - get alert entities
Hi!
My main task is to get all alerts (alerts, not incidents) from sentinel (analytics rules and Defender XDR) to external case management. For different reasons we need to do this on alert level. Alert trigger by design works perfectly, but this does not trigger on Defender alerts on Sentinel, only analytic rules. When using Sentinel incident trigger, then i'm not able to extract entities related to alerts, only incident releated entities. Final output is sent with HTTP post to our external system using logic app.
Any ideas how to get in logic app all alerts with their entities?
5 Replies
Great job, thanks! Meantime i tried different ways and I came to the basically same solution. I just take whole alert from Alerts dynamic function and with KQL query get just entities.
Delay is at the beginning because it takes about 6-10 minutes to populate new incident with entitiy info.
For new incidents it seems to work now. But in some cases Sentinel updates old incident whichs alert has already been sent and new alert is not created. For example, for testing purposes i run specific executable on my machine which triggers custom detection rule on Defender. First time this playbook is triggered, but on the next execution only incident "updated" timestamp is renewed and new entity is added (process, because new PID). What 'incident update' trigger automation rule condition would you use in that case? Need only trigger again when same action happens again (new entity added or something), but not for incident status/owner/etc updates.
This is actually really valid question, in that case I would probably use some tracking variables and add the number of Entities flagged in the KQL, and then additional condition where Entities != to the ones previously flagged. Will try to test it out in my environment :)
Yeah, that should work for entities tracking. But in some cases event happens again, no new entities, only 'Last update time' is changed. In Defender XDR/sentinel incident will pop up on list, but as it does not create new alert then playbook is not triggered.
Not sure how it behaves when incident is closed after first investigation, does is reopen or create new?
What I would do in this case is to create Logic App with a trigger "Microsoft Sentinel incident" (this will grab alerts as well) and then run SystemAlertID (it's a dynamic function) against KQL.
You can use the following KQL to achieve that (we need to move the actual entities from the array into separate column)
SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in ("")
| extend
HostNames = extract_all(@"\""HostName\""\s*:\s*\""(.*?)\""", tostring(Entities)),
IpAddresses = extract_all(@"\""Address\""\s*:\s*\""(.*?)\""", tostring(Entities)),
Accounts = extract_all(@"\""Name\""\s*:\s*\""(.*?)\""", tostring(Entities)),
UPNS = extract_all(@"\""UPNSuffix\""\s*:\s*\""(.*?)\""", tostring(Entities)),
Urls = extract_all(@"\""Url\""\s*:\s*\""(.*?)\""", tostring(Entities))
| extend
HostName = iff(array_length(HostNames) > 0, tostring(HostNames[0]), ""),
IP = iff(array_length(IpAddresses) > 0, tostring(IpAddresses[0]), ""),
Account = iff(array_length(Accounts) > 0, tostring(Accounts[0]), ""),
UPN = iff(array_length(UPNS) > 0, tostring(UPNS[0]), ""),
URL = iff(array_length(Urls) > 0, tostring(Urls[0]), "")
| project SystemAlertId, TimeGenerated, AlertName, HostName, IP, Account, UPN, URLand then run it against automation rule
Here is how the output will look like
You can then Parse_JSON in another step and use for whatever you need.
