Feb 25 2020 07:06 AM - edited Feb 25 2020 07:11 AM
Hi
We are currently trying to automate some alerts through Playbooks.
We created a custom alert that checks for Impossible Travel Alerts from MCAS.
This works well. But the issue is that some data that is in the SecurityAlerts table (like ExtendedProperties and Entities) isn't forwarded to the Logic App when it's triggered by Sentinel.
I attached a screenshot of what data is forwarded through a logic app
Because Sentinel Entities do not support an array, but only one value. It's not possible to use those, because an impossible travel alert has multiple IP's.
So we are looking for another way to get all the data of a Sentinel alert into a playbook.
Should we query log analytics for this? I don't really like doing this, because this seems like an unnecessary step.
Does anybody have something for this?
Feb 25 2020 12:00 PM
@Thijs Lecomte Not sure what you mean when you say that Entities do not support arrays. If the alert that creates the Incident finds multiple events and each of those events has matching entities, then the incident will have multiple entities.
I currently have one incident that is made up of 13 events and has 5 IP and 6 Account Entities in it. Using a Playbook to write the Entities to a Teams message I see that it writes out the Entities in a JSON array.
Looking at your image it shows the same thing just that, in your case, you only have 1 Entity listed
Feb 25 2020 12:04 PM
Feb 25 2020 12:08 PM
@Thijs Lecomte One event will only have up to a single value for each of the entities.
Feb 25 2020 12:12 PM
Feb 25 2020 02:34 PM
@Thijs Lecomte I would not expect this to change. What do you mean when you say full details? What is missing?
Feb 26 2020 07:07 AM
@Thijs Lecomte This is something I have done and probably you could do.
Entities and Extended properties are JSON parameters. Using the data operations connector parse these parameters. You could get the JSON schema from the entities/extended properties logs.
Almost all of the times the scheduled query is available in the Extended properties. By parsing you will convert JSON into String and take the Query parameter out. Initialize the variable naming it as XYZ and use Query with a time period(this is must).
Using Azure Log Analytics run this initialized variable and you should be good to go.. Seems like a lot of pain but works just fine.
Feb 26 2020 10:24 AM
That's how I do it too ATM.
But this means there is an extra query to log analytics which seems unnecessary to me... Shouldn't this be available by default?
@Gary Bushey Some data that I see in the SecurityAlerts table isn't able in the Playbook. These are columns like 'Entities' and 'ExtendedProperties' (these are columns that contain extra data from MCAS).
Feb 27 2020 05:33 AM
@Thijs Lecomte I believe what @Pranesh1060 meant is that you can take the Extended properties and the Entities fields and use the Logic Apps Parse JSON action to extract the information. There is no reason to perform another query against Log Analytics.
Jun 06 2021 03:48 PM
Hi @Gary Bushey
I have 2 questions about creating playbooks for Sentinel.
1. Is there a basic rule for when you need to use the parse json function and when you don't?
eg. you can NOT:
"When Azure Sentinel incident creation rule was triggered" > "Send an email (v2)"
you CAN:
"When Azure Sentinel incident creation rule was triggered" > "parse json" > "Send an email (v2)"
However you CAN do this w/o the need for parse json:
"When Azure Sentinel incident creation rule was triggered" > "Run query and list results"
2. Secondly, when using 'parse json', how do you create the json template? Is it usually just a simple format based on the fields of interest? eg.
{
"$id": "3",
"Url": "T1039",
"Type": "url"
}
Thank you.
Jun 07 2021 04:10 AM
@SocInABox 1) I don't think there is a set rule, it really depends on what type of information you are trying to obtain
2) Usually, I run the playbook without the parse JSON action first, look at the run, copy the data that I need to parse from the output of the action that creates it, and then paste it into the parse JSON action as sample data and let the action handle the parsing.
Jun 07 2021 05:57 AM
Thanks @Gary Bushey
"look at the run" is what I needed to know, thanks!
What I'm saying about the parse json rule is that some operators don't need it as a predecessor and some do - for example if you want to include fields from your alert in the email function you must use parse json first. But maybe the send email is a special exception?
Jun 07 2021 10:10 AM
@SocInABox It depends on the field you are looking to use. Some of the information is stored as JSON and some of it is returned directly as a variable.
Jun 20 2021 09:05 AM
Aug 23 2023 03:47 AM