Jan 31 2024 12:45 PM
Hey there,
I've posted here on this topic before when I didn't even know where to start - (https://techcommunity.microsoft.com/t5/microsoft-sentinel/include-additional-entities-detail-in-emai...). The guidance I got was great and I headed off to explore my options. Since then I've been sidetracked several times and I'm just getting back into this process.
The Problem
I use an automation rule to run the "send-email-with-formatted-incident-report" playbook every time an incident is created. Among the details included in the report are the entities associated with the incident. For some incidents, like "Explicit MFA Deny", the entities give enough detail to work with; that incident includes the account as a friendly name and the IP address. With most incidents, the entities don't provide enough details or the right details. The most common issue is that the account is shown as an object id.
Attemped Resolutions
So I tried to extend the playbook by doing a KQL query against the SigninLogs table. If I query the table directly, I am able to find the UserName and/or UPN. When I added this query into the playbook, the first issue I had was that most alerts include multiple entities and the query would fail when it ran into the wrong entity type. So I tried adding a new step, "Entities - Get Accounts" so the individual entity would be available in the workflow. But this fails because it's expecting a text string and the object ID is the wrong type.
Am I approaching this the wrong way? Do I need to build separate playbooks for various alert sources? Or am I missing something with the process of acquiring the entities in the playbook?
TIA,
~dgm~
Feb 02 2024 03:04 AM
Feb 07 2024 09:24 AM
This was fantastic! Thank you very much. I made a bunch of progress since you responded. For a lot of the alerts we get this works perfectly but only if the accounts that I'm acquiring have the friendly name by default. With some alerts, like Atypical Travel, the accounts show as an object ID and those don't show if I use "Entities - Get Accounts". And I don't see anything that allows me to extract the account entities if they're object IDs. Thoughts?
Feb 07 2024 10:14 AM