Forum Discussion
Unable to parse entities from sentinel incident.
Hello team, I am trying to design a playbook to parse sentinel incident data and send the required fields to log analytics workspace. Can you help me how to get only kind and friendly name fields fr...
- Thank you Clive!.
It worked however the out have only one value of "kind" field. I am trying to get all values of Kind and its friendly name from Entities data of sentinel incident data.- This will list all the found entities, remove or adjust the last line
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
) on $left.AlertIds == $right.SystemAlertId
| distinct tostring(AlertEntities.Type)
- KQL example, in case it helps - it does more with the IP entity might could be useful
let rangeToCheck = "10.0.0.1/24";
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
| where AlertEntities.Type == "ip"
| extend EntityIP = tostring(AlertEntities.Address)
| extend EntityType = tostring(AlertEntities.Type)
| extend inRange = ipv4_is_in_range(EntityIP, rangeToCheck)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber, inRange, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName
