Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Cannot get 'Entities' via a custom analytic rule.

Iron Contributor

Hello folks,

 

I am trying to write an analytic rule to get all the alerts from 'Microsoft 365 Security' center and generate incidents based on those alerts in Sentinel.

All that the rule is lacking is that I get the 'Entities' tab empty when an incident is made.

Can anybody help me out if possible with an KQL command to add/get the entities part?

 

Would really appreciate the help.

4 Replies
Have you mapped the Entity in your KQL? See example

https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/Mul...

The last line, maps the Host (entity) to the DeviceName column:

| extend HostCustomEntity=DeviceName

The new, Alert enrichment (Preview) allows you to create Entity Mapping from the UI and these work but don't appear in the KQL / rule logic - see https://docs.microsoft.com/en-gb/azure/sentinel/map-data-fields-to-entities#notes-on-the-new-version

@CliveWatson Thanks for the reply, but this does not work. It throws the error:

The name 'entityMappings' does not refer to any known column, table, variable or function.

Sorry that was just an example, you may prefer to use the UI option or you need to replace:

<DeviceName> with a valid column that you have in your system. As you haven't shared any syntax, its hard to guess at what entity you are trying to map. If its an "Account" for example you may need

| extend AccountCustomEntity=< your account name column >

maybe username or AccountCustomEntity = UserPrincipalName

https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/Mul...
Sorry, I was not able to interpret that.
So what I am doing is I have created a logic app for ingesting the Office 365 alerts via Graph Security API and then I am storing the results in a custom table called 'OfficeAlerts_LogicApp_CL'

Then I am trying to call that table using KQL to make incidents from the alerts in that table.
My query is as below :

OfficeAlerts_LogicApp_CL
| where parse_json(comments_s)[0] == "New alert"
| where vendorInformation_provider_s == "Office 365 Security and Compliance"
| where parse_json(userStates_s)[0].domainName == ""

I think maybe the problem is that the output is in pure 'json' and I am not able to parse/structure it so that I can get the entities in the incident.
Can you suggest something that as per this situation please?