03-25-2019 11:52 AM
03-25-2019 11:52 AM
I am running into some issues with an alert I am trying to build and I wonder if anyone else has come across this. I have an alert rule with the following query:
| where TimeGenerated > ago(30m)
| where AlertName == "Unfamiliar sign-in properties"
| extend Extprop = parsejson(ExtendedProperties)
| extend UserPrincipalName = Extprop["User Account"]
| extend IPAddress = Extprop["Client IP Address"]
| extend Location = Extprop["Client Location"]
| project AlertName,AlertType,TimeGenerated,UserPrincipalName,IPAddress,Location
| extend AccountCustomEntity = UserPrincipalName
| extend IPCustomEntity = IPAddress
Here are the problems:
1. When a case is created, it does not map the user principal name or the IP address to the case. When building that alert, the drop down menu for these values did not show the selected fields as options.
2. The second problem is I think related to the first. Once a case is created I tried creating a logic app/playbook that would email the details of the case to me and create a powershell command using output from the alert. Because the entities like username and IP address didn’t map to the case, I can’t pull that in from the Sentinel Case that is defined in the trigger. I was able to add a step to run a log query and then use the output in future steps. This worked okay for testing, but the problem I see is that the query has a time limit. Right now it is for all events generated within 30 minutes. If the playbook is run more than 30 minutes after the alert, it won’t see it.
3. I was able to use a data gateway to create a powershell script on a local server through the playbook. The problem was, that the last few lines of the script add an A after each value. I attached a screenshot. If I change the file extension to .txt then it displays correctly, but then when I switch it back to .ps1 the “A”s are back. This happens whether I create the file with dynamic values or not.
03-26-2019 02:25 AM
@andrew_bryant the entity extraction supports only string values, simply add tostring on the column you would want to map and this will work.
we will add a warning in the UI to surface this issue to make sure the customers understand the route cause of this.
03-27-2019 01:21 PM
@Liza Mash Levin thanks for that info. The username is now showing up in the case. However, when I go to the playbook/logic app that is triggered by the Sentinel alert, it does not have the ability to pull the username in as dynamic content to a future step.
Some things I am trying to accomplish with the playbook are to send an email alert that would contain the username, open a service now ticket that would contain the username, or create a powershell script to reset the user's password.
03-28-2019 07:26 AM
Thank you for you feedback.
You are right. The team completed the work on adding actions to the Azure Sentinel connector to allow customers to get the list of users, machines and IP's so they can use them in as part of the playbooks exactly like you've mentioned.
It should be available in the designer in 1-2 weeks.
04-19-2019 06:38 AM
Having an issue with another alert. Here is the query: