Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sign in risk alert and playbook

Brass Contributor

I am running into some issues with an alert I am trying to build and I wonder if anyone else has come across this.  I have an alert rule with the following query:

 

SecurityAlert
| where TimeGenerated > ago(30m)
| where AlertName == "Unfamiliar sign-in properties"
| extend Extprop = parsejson(ExtendedProperties)
| extend UserPrincipalName = Extprop["User Account"]
| extend IPAddress = Extprop["Client IP Address"]
| extend Location = Extprop["Client Location"]
| project AlertName,AlertType,TimeGenerated,UserPrincipalName,IPAddress,Location
| extend AccountCustomEntity = UserPrincipalName
| extend IPCustomEntity = IPAddress

 

Here are the problems:

1. When a case is created, it does not map the user principal name or the IP address to the case.  When building that alert, the drop down menu for these values did not show the selected fields as options.

2. The second problem is I think related to the first.  Once a case is created I tried creating a logic app/playbook that would email the details of the case to me and create a powershell command using output from the alert.  Because the entities like username and IP address didn’t map to the case, I can’t pull that in from the Sentinel Case that is defined in the trigger.  I was able to add a step to run a log query and then use the output in future steps.  This worked okay for testing, but the problem I see is that the query has a time limit.  Right now it is for all events generated within 30 minutes.  If the playbook is run more than 30 minutes after the alert, it won’t see it.

3. I was able to use a data gateway to create a powershell script on a local server through the playbook.  The problem was, that the last few lines of the script add an A after each value.  I attached a screenshot.  If I change the file extension to .txt then it displays correctly, but then when I switch it back to .ps1 the “A”s are back.  This happens whether I create the file with dynamic values or not.

 

7 Replies

@andrew_bryant 

 

@Liza Mash Levin: Is this something you can speak to?

 

(CC: @Ofer_Shezaf)

@andrew_bryant  - can you please remove the extend fields and define them using the 'Entity mapping' capability?

furthermore - can you please send me the alert ID (will be available once you try to edit the alert) and the workspace ID?

@andrew_bryant the entity extraction supports only string values, simply add tostring on the column you would want to map and this will work.

we will add a warning in the UI to surface this issue to make sure the customers understand the route cause of this.

 

Thanks,

Liza

@Liza Mash Levin thanks for that info.  The username is now showing up in the case.  However, when I go to the playbook/logic app that is triggered by the Sentinel alert, it does not have the ability to pull the username in as dynamic content to a future step.  

 

Some things I am trying to accomplish with the playbook are to send an email alert that would contain the username, open a service now ticket that would contain the username, or create a powershell script to reset the user's password.

 

Thanks,

Andrew

@andrew_bryant , I'm adding @Koby Koren to help your issue with the playbooks

Thanks Liza.

 

Hi @andrew_bryant.

Thank you for you feedback.

 

You are right. The team completed the work on adding actions to the Azure Sentinel connector to allow customers to get the list of users, machines and IP's so they can use them in as part of the playbooks exactly like you've mentioned.

It should be available in the designer in 1-2 weeks.

@Liza Mash Levin 

Hi Liza,

 

Having an issue with another alert.  Here is the query:

 

SecurityAlert
| where ProviderName == "MCAS"
| where TimeGenerated > ago(15m)
| where AlertName == "Impossible travel activity"
| extend Entities = todynamic(Entities)
| mvexpand Entities
| project AlertName, AlertSeverity, Entities, TimeGenerated
| evaluate bag_unpack(Entities)
| extend Type = columnifexists("Type", "")
| where Type in("account", "host", "ip")
| where Type == "account"
 
I want to map the cloumn Name to the AccountCustomEntity.  If I add this line in the log query it displays fine:
| extend AccountCustomEntity = tostring(Name)
 
But it will not allow me to save that in the alert rule.  It says query syntax error.  In fact, any attempt I make to add a line in the alert rule that uses the "Name" column gives me that error.