Enrich table with entities from security incident

MartijnZwart · ‎May 10 2022

Hi,

I want to create a extra colum for entity data from the incident, like host, ip and account. But i can't seem to get it working. What do i need to add to this query?

SecurityIncident

| where Severity in ({Severity}) or "*" in ({Severity})

| extend Tactics = todynamic(AdditionalData.tactics)

| where Tactics in ({Tactics}) or "*" in ({Tactics})

| extend Owner = todynamic(Owner.assignedTo)

| where Owner in ({Owner}) or "*" in ({Owner})

| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0]))

| where Product in ({Product}) or "*" in ({Product})

| order by LastModifiedTime

| project LastModifiedTime,IncidentNumber, Title, Status, Severity, Tactics, Classification, ClassificationReason,ClassificationComment

| take 250

Thanks in advance

Clive_Watson · ‎May 10 2022

@MartijnZwart example for IP entity, which may give you a clue. As you are doing this for a Workbook, take a look at the "Investigation Insights" built-in template which has this.

SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
    | where isnotempty(AlertEntities)
    | where AlertEntities.Type == "ip"
    | extend EntityIP = tostring(AlertEntities.Address)
    | extend EntityType = tostring(AlertEntities.Type)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber,  EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Enrich table with entities from security incident

Enrich table with entities from security incident

Re: Enrich table with entities from security incident