Jul 21 2022 11:47 AM
I need help regarding creation of mock/dummy incident in sentinel using "print" operator. I want to have below items to be added into entity as is.
IP
Sender Email
Recipient
Subject
URL
print user="example[@]example.com", ip1="1.1.1.1", ip2="2.2.2.2", Sender="example[@]example.com", Recipient="example[@]example.com", Subject="This is a test phishing email", Mailbox="example[@]example.com", Url="https://test.com"
I created a test rule and tried to map those entities using rule wizard under mailbox , submission mail and mail messages separately and tried all possible options but still unsuccessful. Appreciate if anyone can help with the correct approach. Thanks.
Jul 22 2022 03:43 AM
@securityxpert1122 Not even sure that the "print" command will work in a rule. What you could do is to create a datatable that contains all the information you want in it and then just show that datatable. I do this a lot to create demo incidents.
let demoData = datatable (Data: string) [
"Demo data"
];
demoData