Sentinel: IPCustomEntity missing from Graph security alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-1137220%22%20slang%3D%22en-US%22%3ESentinel%3A%20IPCustomEntity%20missing%20from%20Graph%20security%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1137220%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EFirst%20post%2C%20so%3A%20hi%20all!%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20need%20to%20be%20able%20to%20query%20Sentinel%20incidents%20programatically%20for%20further%20processing%20but%20noticed%20that%20not%20all%20entities%20are%20available%20when%20querying%20through%20Graph.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EMy%20query%20gets%20user%2C%20host%20and%20source%20IP%20from%20the%20results%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%7C%20extend%20AccountCustomEntity%20%3D%20user%3CBR%20%2F%3E%7C%20extend%20HostCustomEntity%20%3D%20host_s%3CBR%20%2F%3E%7C%20extend%20IPCustomEntity%20%3D%20tostring(sourceip)%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAnd%20the%20IP%20addresses%20show%20up%20in%20the%20web%20interface.%20If%20I%20perform%20a%20query%20against%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20ugc%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EI%20get%20all%20the%20Sentinel%20incidents%20but%20the%20IP%20address%20is%20missing%20from%20the%20response%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%7B'id'%3A%20'...'%2C%20'azureTenantId'%3A%20'...'%2C%20'azureSubscriptionId'%3A%20'...'%2C%20'riskScore'%3A%20None%2C%20'tags'%3A%20%5B%5D%2C%20'activityGroupName'%3A%20None%2C%20'assignedTo'%3A%20None%2C%20'category'%3A%20'...'%2C%20'closedDateTime'%3A%20None%2C%20'comments'%3A%20%5B%5D%2C%20'confidence'%3A%20None%2C%20'createdDateTime'%3A%20'2020-01-29T13%3A50%3A07.4965087Z'%2C%20'description'%3A%20'...'%2C%20'detectionIds'%3A%20%5B%5D%2C%20'eventDateTime'%3A%20'2020-01-29T13%3A35%3A06.725Z'%2C%20'feedback'%3A%20None%2C%20'lastModifiedDateTime'%3A%20'2020-01-29T13%3A50%3A07.5670528Z'%2C%20'recommendedActions'%3A%20%5B%5D%2C%20'severity'%3A%20'medium'%2C%20'sourceMaterials'%3A%20%5B%5D%2C%20'status'%3A%20'newAlert'%2C%20'title'%3A%20'...'%2C%20'vendorInformation'%3A%20%7B'provider'%3A%20'Azure%20Sentinel'%2C%20'providerVersion'%3A%20None%2C%20'subProvider'%3A%20None%2C%20'vendor'%3A%20'Microsoft'%7D%2C%20'cloudAppStates'%3A%20%5B%5D%2C%20'fileStates'%3A%20%5B%5D%2C%20'hostStates'%3A%20%5B%7B'fqdn'%3A%20None%2C%20'isAzureAdJoined'%3A%20None%2C%20'isAzureAdRegistered'%3A%20None%2C%20'isHybridAzureDomainJoined'%3A%20None%2C%20'netBiosName'%3A%20'mypc'%2C%20'os'%3A%20None%2C%20'privateIpAddress'%3A%20None%2C%20'publicIpAddress'%3A%20None%2C%20'riskScore'%3A%20None%7D%2C%20%7B'fqdn'%3A%20None%2C%20'isAzureAdJoined'%3A%20None%2C%20'isAzureAdRegistered'%3A%20None%2C%20'isHybridAzureDomainJoined'%3A%20None%2C%20'netBiosName'%3A%20'mypc'%2C%20'os'%3A%20None%2C%20'privateIpAddress'%3A%20None%2C%20'publicIpAddress'%3A%20None%2C%20'riskScore'%3A%20None%7D%5D%2C%20'historyStates'%3A%20%5B%5D%2C%20'malwareStates'%3A%20%5B%5D%2C%20'networkConnections'%3A%20%5B%5D%2C%20'processes'%3A%20%5B%5D%2C%20'registryKeyStates'%3A%20%5B%5D%2C%20'triggers'%3A%20%5B%5D%2C%20'userStates'%3A%20%5B%7B'aadUserId'%3A%20None%2C%20'accountName'%3A%20'myuser'%2C%20'domainName'%3A%20None%2C%20'emailRole'%3A%20'unknown'%2C%20'isVpn'%3A%20None%2C%20'logonDateTime'%3A%20None%2C%20'logonId'%3A%20None%2C%20'logonIp'%3A%20None%2C%20'logonLocation'%3A%20None%2C%20'logonType'%3A%20None%2C%20'onPremisesSecurityIdentifier'%3A%20None%2C%20'riskScore'%3A%20None%2C%20'userAccountType'%3A%20None%2C%20'userPrincipalName'%3A%20'myuser'%7D%2C%20%7B'aadUserId'%3A%20None%2C%20'accountName'%3A%20'myuser'%2C%20'domainName'%3A%20None%2C%20'emailRole'%3A%20'unknown'%2C%20'isVpn'%3A%20None%2C%20'logonDateTime'%3A%20None%2C%20'logonId'%3A%20None%2C%20'logonIp'%3A%20None%2C%20'logonLocation'%3A%20None%2C%20'logonType'%3A%20None%2C%20'onPremisesSecurityIdentifier'%3A%20None%2C%20'riskScore'%3A%20None%2C%20'userAccountType'%3A%20None%2C%20'userPrincipalName'%3A%20'myuser'%7D%5D%2C%20'vulnerabilityStates'%3A%20%5B%5D%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20would%20expect%20the%20IP%20address%20to%20be%20in%20one%20of%20the%20IP%20related%20fields%20but%20it%20is%20not.%20Am%20I%20missing%20something%20obvious%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1137835%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%3A%20IPCustomEntity%20missing%20from%20Graph%20security%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1137835%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F537269%22%20target%3D%22_blank%22%3E%40rogierg%3C%2FA%3E%26nbsp%3BDepending%20on%20what%20you%20need%20to%20do%20with%20the%20information%2C%20you%20can%20use%20the%20Azure%20Sentinel%20REST%20API%20calls%20to%20get%20the%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20a%20couple%20of%20blog%20posts%20out%20there%20on%20how%20to%20use%20it%20including%20mine%20on%20using%20PowerShell%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F11%2Fyour-first-azure-sentinel-rest-api-call%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F11%2Fyour-first-azure-sentinel-rest-api-call%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20it%20is%20a%20REST%20call%2C%20you%20should%20be%20able%20to%20do%20it%20in%20your%20preferred%20language.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147768%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%3A%20IPCustomEntity%20missing%20from%20Graph%20security%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147768%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%3A%20thanks%20for%20your%20response.%20This%20information%20is%20not%20in%20the%20Sentinel%20REST%20API%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%7B%22title%22%3A%22CEF%20test%22%2C%22description%22%3A%22%22%2C%22severity%22%3A%22Medium%22%2C%22status%22%3A%22New%22%2C%22labels%22%3A%5B%5D%2C%22endTimeUtc%22%3A%222020-01-31T10%3A06%3A18.027Z%22%2C%22startTimeUtc%22%3A%222020-01-31T09%3A27%3A14.243Z%22%2C%22owner%22%3A%7B%22objectId%22%3Anull%2C%22email%22%3Anull%2C%22name%22%3Anull%7D%2C%22lastUpdatedTimeUtc%22%3A%222020-02-03T12%3A50%3A03Z%22%2C%22createdTimeUtc%22%3A%222020-02-03T12%3A50%3A03.9258785Z%22%2C%22relatedAlertIds%22%3A%5B%22...%22%5D%2C%22relatedAlertProductNames%22%3A%5B%22Azure%20Sentinel%22%5D%2C%22caseNumber%22%3A6171%2C%22totalComments%22%3A0%2C%22metrics%22%3A%7B%22SecurityAlert%22%3A1%7D%2C%22firstAlertTimeGenerated%22%3A%222020-02-03T12%3A50%3A03.0676935Z%22%2C%22lastAlertTimeGenerated%22%3A%222020-02-03T12%3A50%3A03.0676935Z%22%7D%7D%2C%7B%22id%22%3A%22%2Fsubscriptions%2F...%2FresourceGroups%2F...%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2F...%2Fproviders%2FMicrosoft.SecurityInsights%2FCases%2F...%22%2C%22name%22%3A%22...%22%2C%22etag%22%3A%22%5C%5C%22...%5C%5C%22%22%2C%22type%22%3A%22Microsoft.SecurityInsights%2FCases%22%2C%22properties%22%3A%7B%22title%22%3A%22CEF%20test%22%2C%22description%22%3A%22%22%2C%22severity%22%3A%22Medium%22%2C%22status%22%3A%22New%22%2C%22labels%22%3A%5B%5D%2C%22endTimeUtc%22%3A%222020-01-31T10%3A06%3A18.027Z%22%2C%22startTimeUtc%22%3A%222020-01-31T09%3A27%3A14.243Z%22%2C%22owner%22%3A%7B%22objectId%22%3Anull%2C%22email%22%3Anull%2C%22name%22%3Anull%7D%2C%22lastUpdatedTimeUtc%22%3A%222020-02-03T12%3A49%3A53Z%22%2C%22createdTimeUtc%22%3A%222020-02-03T12%3A49%3A53.5068612Z%22%2C%22relatedAlertIds%22%3A%5B%22...%22%5D%2C%22relatedAlertProductNames%22%3A%5B%22Azure%20Sentinel%22%5D%2C%22caseNumber%22%3A6170%2C%22totalComments%22%3A0%2C%22metrics%22%3A%7B%22SecurityAlert%22%3A1%7D%2C%22firstAlertTimeGenerated%22%3A%222020-02-03T12%3A49%3A52.6768191Z%22%2C%22lastAlertTimeGenerated%22%3A%222020-02-03T12%3A49%3A52.6768191Z%22%7D%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EI%20was%20able%20to%20get%20the%20entities%20by%20performing%20a%20query%20against%20the%20log%20analytics%20API%20but%20this%20is%20not%20ideal%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ESecurityAlert%20%7C%20where%20SystemAlertId%20%3D%3D%20'%22%20%2B%20systemalertid%20%2B%20%22'%20%7C%20project%20Entities%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EAnother%20thing%20I%20tried%20is%20to%20send%20logs%20in%20CEF%20format%20to%20sentinel.%20The%20information%20then%20shows%20up%20in%20CommonSecurityLog%20(and%20I%20could%20then%20query%20it%20like%20above)%20but%20not%20in%20the%20Sentinel%20REST%20API.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20why%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

First post, so: hi all!

 

I need to be able to query Sentinel incidents programatically for further processing but noticed that not all entities are available when querying through Graph.

 

My query gets user, host and source IP from the results:

| extend AccountCustomEntity = user
| extend HostCustomEntity = host_s
| extend IPCustomEntity = tostring(sourceip)

And the IP addresses show up in the web interface. If I perform a query against https://graph.microsoft.com/v1.0/security/alerts I get all the Sentinel incidents but the IP address is missing from the response:

 

{'id': '...', 'azureTenantId': '...', 'azureSubscriptionId': '...', 'riskScore': None, 'tags': [], 'activityGroupName': None, 'assignedTo': None, 'category': '...', 'closedDateTime': None, 'comments': [], 'confidence': None, 'createdDateTime': '2020-01-29T13:50:07.4965087Z', 'description': '...', 'detectionIds': [], 'eventDateTime': '2020-01-29T13:35:06.725Z', 'feedback': None, 'lastModifiedDateTime': '2020-01-29T13:50:07.5670528Z', 'recommendedActions': [], 'severity': 'medium', 'sourceMaterials': [], 'status': 'newAlert', 'title': '...', 'vendorInformation': {'provider': 'Azure Sentinel', 'providerVersion': None, 'subProvider': None, 'vendor': 'Microsoft'}, 'cloudAppStates': [], 'fileStates': [], 'hostStates': [{'fqdn': None, 'isAzureAdJoined': None, 'isAzureAdRegistered': None, 'isHybridAzureDomainJoined': None, 'netBiosName': 'mypc', 'os': None, 'privateIpAddress': None, 'publicIpAddress': None, 'riskScore': None}, {'fqdn': None, 'isAzureAdJoined': None, 'isAzureAdRegistered': None, 'isHybridAzureDomainJoined': None, 'netBiosName': 'mypc', 'os': None, 'privateIpAddress': None, 'publicIpAddress': None, 'riskScore': None}], 'historyStates': [], 'malwareStates': [], 'networkConnections': [], 'processes': [], 'registryKeyStates': [], 'triggers': [], 'userStates': [{'aadUserId': None, 'accountName': 'myuser', 'domainName': None, 'emailRole': 'unknown', 'isVpn': None, 'logonDateTime': None, 'logonId': None, 'logonIp': None, 'logonLocation': None, 'logonType': None, 'onPremisesSecurityIdentifier': None, 'riskScore': None, 'userAccountType': None, 'userPrincipalName': 'myuser'}, {'aadUserId': None, 'accountName': 'myuser', 'domainName': None, 'emailRole': 'unknown', 'isVpn': None, 'logonDateTime': None, 'logonId': None, 'logonIp': None, 'logonLocation': None, 'logonType': None, 'onPremisesSecurityIdentifier': None, 'riskScore': None, 'userAccountType': None, 'userPrincipalName': 'myuser'}], 'vulnerabilityStates': []}

 

I would expect the IP address to be in one of the IP related fields but it is not. Am I missing something obvious?

2 Replies

@rogierg Depending on what you need to do with the information, you can use the Azure Sentinel REST API calls to get the information.

 

There are a couple of blog posts out there on how to use it including mine on using PowerShell here https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/

 

Since it is a REST call, you should be able to do it in your preferred language.

@Gary Bushey: thanks for your response. This information is not in the Sentinel REST API:

{"title":"CEF test","description":"","severity":"Medium","status":"New","labels":[],"endTimeUtc":"2020-01-31T10:06:18.027Z","startTimeUtc":"2020-01-31T09:27:14.243Z","owner":{"objectId":null,"email":null,"name":null},"lastUpdatedTimeUtc":"2020-02-03T12:50:03Z","createdTimeUtc":"2020-02-03T12:50:03.9258785Z","relatedAlertIds":["..."],"relatedAlertProductNames":["Azure Sentinel"],"caseNumber":6171,"totalComments":0,"metrics":{"SecurityAlert":1},"firstAlertTimeGenerated":"2020-02-03T12:50:03.0676935Z","lastAlertTimeGenerated":"2020-02-03T12:50:03.0676935Z"}},{"id":"/subscriptions/.../resourceGroups/.../providers/Microsoft.OperationalInsights/workspaces/.../providers/Microsoft.SecurityInsights/Cases/...","name":"...","etag":"\\"...\\"","type":"Microsoft.SecurityInsights/Cases","properties":{"title":"CEF test","description":"","severity":"Medium","status":"New","labels":[],"endTimeUtc":"2020-01-31T10:06:18.027Z","startTimeUtc":"2020-01-31T09:27:14.243Z","owner":{"objectId":null,"email":null,"name":null},"lastUpdatedTimeUtc":"2020-02-03T12:49:53Z","createdTimeUtc":"2020-02-03T12:49:53.5068612Z","relatedAlertIds":["..."],"relatedAlertProductNames":["Azure Sentinel"],"caseNumber":6170,"totalComments":0,"metrics":{"SecurityAlert":1},"firstAlertTimeGenerated":"2020-02-03T12:49:52.6768191Z","lastAlertTimeGenerated":"2020-02-03T12:49:52.6768191Z"}}

I was able to get the entities by performing a query against the log analytics API but this is not ideal:

SecurityAlert | where SystemAlertId == '" + systemalertid + "' | project Entities

Another thing I tried is to send logs in CEF format to sentinel. The information then shows up in CommonSecurityLog (and I could then query it like above) but not in the Sentinel REST API.

 

Any idea why?