Forum Discussion
Unable to parse entities from sentinel incident.
Hello team, I am trying to design a playbook to parse sentinel incident data and send the required fields to log analytics workspace. Can you help me how to get only kind and friendly name fields fr...
Thank you Clive!.
It worked however the out have only one value of "kind" field. I am trying to get all values of Kind and its friendly name from Entities data of sentinel incident data.
It worked however the out have only one value of "kind" field. I am trying to get all values of Kind and its friendly name from Entities data of sentinel incident data.
This will list all the found entities, remove or adjust the last line
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
) on $left.AlertIds == $right.SystemAlertId
| distinct tostring(AlertEntities.Type)
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
) on $left.AlertIds == $right.SystemAlertId
| distinct tostring(AlertEntities.Type)