SOLVED

How to correlate Security Alert Entities further with a WorkList

New Contributor

Hi all,

 

Newbie to Sentinel. 

In old school SIEM, one can easily correlate specific correlated Security Alert entities with a watchlist via data schema mapping.

 

However for Sentinel, i notice that the Entities in Security Alert comes in multiple nested format, where i cannot do a simple 1 to 1 map to watch list to further correlate.

 

I have a request to further correlate any 

SecurityAlert
| where DisplayName == "Create incidents based on ADB2C Identity Protection Risky Signin"

with a watchlist containing high suspicious user, Name + UPN

 

The Entities of the event comes in these format:

Entities
[{"$id":"3","Url":"[\"unfamiliarFeatures\"]","Type":"url"},{"$id":"4","Address":"1.2.3.4","Type":"ip"},{"$id":"5","Name":"someuser","UPNSuffix":"gmail.com","IsDomainJoined":true,"Type":"account"}]

 

TLDR:

How to create an analytic rules to alert any SecurityAlert "Create incidents based on ADB2C Identity Protection Risky Signin" with a WatchList?

2 Replies
best response confirmed by ahhann (New Contributor)
Solution

Hi there, the best way to extract the individual entities from alerts within the SecurityAlerts table is using the mv-expand operator. There are some examples here - https://github.com/reprise99/Sentinel-Queries/tree/main/Security%20Alert

 

In your example there if you wanted to retrieve the IP address, you could do

 

| extend x = todynamic(Entities)
| mv-expand x
| parse-where x with * '$id":"4","' IPAddress '","Type' *

That would create you a new column called IPAddress with everything between $id":"4"," and ","Type

 

You can then map them to other tables or watchlists etc like normal

 

Thanks for the pointer, got it working:
let domain = "@";
let watchlist = (_GetWatchlist("SuspiciousUser") | project SearchKey);
SecurityAlert
| extend EntitiesDynamicArray=parse_json(Entities) | mvexpand EntitiesDynamicArray
| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type)
| where Entitytype == "account"
| extend username=tostring(parse_json(EntitiesDynamicArray).Name)
| extend UPN=tostring(parse_json(EntitiesDynamicArray).UPNSuffix)
| extend useraccount = strcat(username, domain, UPN)
| where useraccount in (watchlist)
| project TimeGenerated, DisplayName, useraccount, Entities