How to correlate Security Alert Entities further with a WorkList

Copper Contributor

Hi all,


Newbie to Sentinel. 

In old school SIEM, one can easily correlate specific correlated Security Alert entities with a watchlist via data schema mapping.


However for Sentinel, i notice that the Entities in Security Alert comes in multiple nested format, where i cannot do a simple 1 to 1 map to watch list to further correlate.


I have a request to further correlate any 

| where DisplayName == "Create incidents based on ADB2C Identity Protection Risky Signin"

with a watchlist containing high suspicious user, Name + UPN


The Entities of the event comes in these format:




How to create an analytic rules to alert any SecurityAlert "Create incidents based on ADB2C Identity Protection Risky Signin" with a WatchList?

2 Replies
best response confirmed by ahhann (Copper Contributor)

Hi there, the best way to extract the individual entities from alerts within the SecurityAlerts table is using the mv-expand operator. There are some examples here -


In your example there if you wanted to retrieve the IP address, you could do


| extend x = todynamic(Entities)
| mv-expand x
| parse-where x with * '$id":"4","' IPAddress '","Type' *

That would create you a new column called IPAddress with everything between $id":"4"," and ","Type


You can then map them to other tables or watchlists etc like normal


Thanks for the pointer, got it working:
let domain = "@";
let watchlist = (_GetWatchlist("SuspiciousUser") | project SearchKey);
| extend EntitiesDynamicArray=parse_json(Entities) | mvexpand EntitiesDynamicArray
| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type)
| where Entitytype == "account"
| extend username=tostring(parse_json(EntitiesDynamicArray).Name)
| extend UPN=tostring(parse_json(EntitiesDynamicArray).UPNSuffix)
| extend useraccount = strcat(username, domain, UPN)
| where useraccount in (watchlist)
| project TimeGenerated, DisplayName, useraccount, Entities