Enrich table with entities from security incident




I want to create a extra colum for entity data from the incident, like host, ip and account. But i can't seem to get it working. What do i need to add to this query?


where Severity in ({Severity}or "*" in ({Severity})
extend Tactics = todynamic(AdditionalData.tactics)
where Tactics in ({Tactics}or "*" in ({Tactics})
extend Owner = todynamic(Owner.assignedTo) 
where Owner in ({Owner}or "*" in ({Owner})
extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) 
where Product in ({Product}or "*" in ({Product})
order by LastModifiedTime 
project LastModifiedTime,IncidentNumber, Title, Status, Severity, Tactics, Classification, ClassificationReason,ClassificationComment
take 250
Thanks in advance
1 Reply

@MartijnZwart example for IP entity, which may give you a clue.  As you are doing this for a Workbook, take a look at the "Investigation Insights" built-in template which has this. 


| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
    | where isnotempty(AlertEntities)
    | where AlertEntities.Type == "ip"
    | extend EntityIP = tostring(AlertEntities.Address)
    | extend EntityType = tostring(AlertEntities.Type)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber,  EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName