May 10 2022 08:04 AM - edited May 10 2022 08:04 AM
Hi,
I want to create a extra colum for entity data from the incident, like host, ip and account. But i can't seem to get it working. What do i need to add to this query?
May 10 2022 09:01 AM - edited May 10 2022 09:04 AM
@MartijnZwart example for IP entity, which may give you a clue. As you are doing this for a Workbook, take a look at the "Investigation Insights" built-in template which has this.
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
| where AlertEntities.Type == "ip"
| extend EntityIP = tostring(AlertEntities.Address)
| extend EntityType = tostring(AlertEntities.Type)
) on $left.AlertIds == $right.SystemAlertId
| project IncidntName = Title, IncidentNumber=IncidentNumber, EntityIP, EntityType, AlertId = AlertIds, AlertName = AlertName