Sentinnel Entity Mapping Issue

am writing an analytic rule for sentinel for activity captured on a Windows 10 Pro VM corresponding to a Windows Event ID from Event Viewer. For the entities on the alert rule I have the Host which i...

KQL

m_zorich
Jan 01, 2022
Yep you will need to use the parse operator to take the field you want out of your EventData

Not exactly sure what EventID you are after (feel free to post an example of the EventData), but an example of parsing EventData is as follows

SecurityEvent
| parse EventData with * '<Data Name="SubjectUserName">' User '</Data>' *

Add that to your query and it will create you a new column called 'User' from everything between <Data Name="SubjectUserName"> and '</Data>' and you can then map it to an entity in your analytic rule.

I did a little guide to using parse and split on my GitHub if you are interested - https://github.com/reprise99/Sentinel-Queries#parse-and-split-basics

m_zorich

Iron Contributor

Jan 01, 2022

Yep you will need to use the parse operator to take the field you want out of your EventData

Not exactly sure what EventID you are after (feel free to post an example of the EventData), but an example of parsing EventData is as follows

SecurityEvent
| parse EventData with * '<Data Name="SubjectUserName">' User '</Data>' *

Add that to your query and it will create you a new column called 'User' from everything between <Data Name="SubjectUserName"> and '</Data>' and you can then map it to an entity in your analytic rule.

I did a little guide to using parse and split on my GitHub if you are interested - https://github.com/reprise99/Sentinel-Queries#parse-and-split-basics

SentinnelCMAN

Copper Contributor

Jan 01, 2022

Thank you so much! It works!

Forum Discussion

Sentinnel Entity Mapping Issue

Resources