Forum Discussion

prashanth419's avatar
prashanth419
Copper Contributor
Oct 11, 2023

Unable to parse entities from sentinel incident.

Hello team, I am trying to design a playbook to parse sentinel incident data and send the required fields to log analytics workspace.

Can you help me how to get only kind and friendly name fields from entities. 

I tried using parse json, it doesn't seem to be working. 

data collection
siem

5 Replies

  • rutgersmeets's avatar
    rutgersmeets
    Brass Contributor
    Oct 15, 2023
    Hello,

    I would suggest calling https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/incidents/list-entities?tabs=HTTP from the Logic App.

    Since there is no built-in support in the Sentinel connector in Logic Apps, you will need to use the HTTP connector to send the request. This will return an array of Entity objects that are related to the incident, which you could then parse as needed.

    Let me know if you need help with this.

    Best regards,
    Rutger
    • prashanth419's avatar
      prashanth419
      Copper Contributor
      Oct 12, 2023
      Thank you Clive!.
      It worked however the out have only one value of "kind" field. I am trying to get all values of Kind and its friendly name from Entities data of sentinel incident data.
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor
        Oct 12, 2023
        This will list all the found entities, remove or adjust the last line

        SecurityIncident
        | summarize arg_max(TimeGenerated,*) by IncidentNumber
        | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
        | mv-expand AlertIds to typeof(string)
        | join
        (
        SecurityAlert
        | extend AlertEntities = parse_json(Entities)
        | mv-expand AlertEntities
        | where isnotempty(AlertEntities)
        ) on $left.AlertIds == $right.SystemAlertId
        | distinct tostring(AlertEntities.Type)
    • Clive_Watson's avatar
      Clive_Watson
      Bronze Contributor
      Oct 11, 2023
      KQL example, in case it helps - it does more with the IP entity might could be useful

      let rangeToCheck = "10.0.0.1/24";
      SecurityIncident
      | summarize arg_max(TimeGenerated,*) by IncidentNumber
      | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
      | mv-expand AlertIds to typeof(string)
      | join
      (
      SecurityAlert
      | extend AlertEntities = parse_json(Entities)
      | mv-expand AlertEntities
      | where isnotempty(AlertEntities)
      | where AlertEntities.Type == "ip"
      | extend EntityIP = tostring(AlertEntities.Address)
      | extend EntityType = tostring(AlertEntities.Type)
      | extend inRange = ipv4_is_in_range(EntityIP, rangeToCheck)
      ) on $left.AlertIds == $right.SystemAlertId
      | project IncidntName = Title, IncidentNumber=IncidentNumber, inRange, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName

Resources