Sep 15 2021 08:23 AM
Hey,
I am unable to add an item in my choice of watchlists using entities like an account, computer, hostname, or IP address, the step where the watchlist condition will take an input is being skipped by the logic app, can anyone help regarding this.
TIA
Sep 15 2021 08:49 AM
@abubakr786 Would need to see a picture of the For each loop expanded to get a better idea of what is happening. It basically looks like there are no accounts to process. Have you validated that you have accounts being returned from the previous step?
Sep 16 2021 12:37 AM
Hey @Gary Bushey
I've attached the details for each loop picture, along with the input-output run details for Get_Account and For each loop for Get_Account. There is an input and output link for Get_Account, Also an input link for for_each loop for Account but it has no output link.
I guess that would be the issue where I need help, pictures attacher for reference.
Sep 16 2021 04:59 AM
@abubakr786 The images do not state if there actually any account entities found.
If you do not already know, you can go to the last run, go toe the "Entities - Get Accounts" and click on it. In the new pane on the right side it will show the outputs and the Body field will tell you if it found anything.
Sep 16 2021 05:21 AM
Sep 16 2021 06:28 AM
@abubakr786 That is exactly what I was referring to. So your For loop isn't being executed because there is nothing for it to execute on. At least in this case, the incident or alert has no account entities so the loop doesn't run.
Sep 16 2021 08:52 AM
Sep 16 2021 09:56 AM
@abubakr786 The first thing would be to check that your alert/incident (depending on what trigger you are using) actually has any entities.
Sep 17 2021 01:27 AM
@Gary Bushey Does logic map output in any form returns the values of entities fetched? As I dont see any entity field or value in code format of the alert trigger
Sep 17 2021 03:59 AM
@abubakr786 No, you must load them like you were doing in your Logic App.
Sep 20 2021 12:38 AM
@abubakr786 @Gary Bushey correct me if I'm wrong, but i believe you will never get any entities/other useful information in your logic app/watchlist unless you run the logic app on an actual alert. Just pressing "run trigger" will end up returning blanks regardless since there is no information in the initial trigger "When a response to an Azure Sentinel alert is triggered"
Sep 20 2021 04:20 AM
Sep 21 2021 01:38 AM
@Gary Bushey What I meant to ask was that at any part in the logic app does the input/output in raw contains the fetched value of an entity which is the exact value of the entity that is added to the watchlist.
Please also share if the query being used to trigger certain alert/incident requires projection or retrieval of entities those are added in watchlists, however the values required by Get action are part of the payload of the event.
Sep 21 2021 05:25 AM
@abubakr786 Not quite sure what you are asking. When you use the Logic app action to load an entity then you can access the raw (JSON) data that has been returned.
Not sure what you mean by "...the exact value of the entity that is added to the watchlist" as a watchlist can contain a lot of different types of data. It all depends on how you have setup the watchlist.
Sep 21 2021 05:49 AM
@Gary Bushey This is what I asked, When you use the Logic app action to load an entity then you can access the raw (JSON) data that has been returned since no value returned, I couldn't find the what is actually not returning the data.
Is there any blog or documentation available of the implementation that you can share? All I need is to add an item in the custom watchlist doesnt matter what the trigger is.