cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Include Additional Entities Detail in Email

DGMalcolm
Iron Contributor

‎Sep 29 2023 01:30 PM

‎Sep 29 2023 01:30 PM

Include Additional Entities Detail in Email

Hey all,

 

I am relatively new to Sentinel and I've run across a situation I can't seem to resolve. I've enabled the "SentinelIncident" automation rule and I've configured it to run the 'Send-email-with-formatted-incident-report' playbook. I am receiving the emails when incidents happen but the emails are missing some important details. For example, I occasionally get an email entitled " New Azure Sentinel incident - Atypical travel". In the Entities box at the bottom of this email there are 2 columns - Entity and Entity Type. For this type of incident the Entity column shows a GUID with an Entity Type of Account. Can I resolve the GUID to a user name or UPN so that it shows in the email? Without the user name I have to log into Azure to find out which user is responsible for the incident.

 

Related but probably more advanced, is there a way to give a geolocation for the IP addresses that also show in the Entities box. It would be helpful to know where the Atypical Travel was happening.

 

TIA

~dgm~

Labels:
1,467 Views
0 Likes
11 Replies
Reply
11 Replies
best response confirmed by DGMalcolm (Iron Contributor)
Clive_Watson

‎Oct 02 2023 02:33 AM

‎Oct 02 2023 02:33 AM

Solution

Re: Include Additional Entities Detail in Email

Two options:

1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that
0 Likes
Reply
DGMalcolm

‎Oct 02 2023 09:00 AM

‎Oct 02 2023 09:00 AM

Re: Include Additional Entities Detail in Email

Great, thank you for the guidance. I'm digging into these options now.
0 Likes
Reply
DGMalcolm

‎Oct 23 2023 07:29 AM

‎Oct 23 2023 07:29 AM

Re: Include Additional Entities Detail in Email

I went off to begin digging into these details but then got sidetracked by other things, you know life. And now I've come back to this. I've got queries that pull the geolocation info and I am able to get the UPN data. But I'm not sure how to "amend the Playbook to run a new KQL query". I don't see an option in the Playbook editor for running a KQL query - am I just missing something?
0 Likes
Reply
Clive_Watson

‎Oct 23 2023 08:33 AM

‎Oct 23 2023 08:33 AM

Re: Include Additional Entities Detail in Email

@DGMalcolm 

Press the "New step " button in the Playbook Editor then type in a search for "Run Query"

 

Clive_Watson_0-1698075159038.png

 

0 Likes
Reply
DGMalcolm

‎Oct 23 2023 10:54 AM - edited ‎Oct 23 2023 11:43 AM

‎Oct 23 2023 10:54 AM - edited ‎Oct 23 2023 11:43 AM

Re: Include Additional Entities Detail in Email

@Clive_Watson

Okay, maybe it's not just me being a dummy. I tried using that step but the 'Subscription' field doesn't populate. I figured that it wasn't licensed on my subscription somehow. Guess I need to figure out what's causing this then.

 

RunQuery_NoSub.png

0 Likes
Reply
MicahFalde

‎Oct 23 2023 01:20 PM

‎Oct 23 2023 01:20 PM

Re: Include Additional Entities Detail in Email

@DGMalcolm 

 

Have you tried making sure you're not filtering out any subsciptions in the portal settings?

MicahFalde_0-1698092390372.png

 

0 Likes
Reply
DGMalcolm

‎Oct 23 2023 02:17 PM

‎Oct 23 2023 02:17 PM

Re: Include Additional Entities Detail in Email

@MicahFalde 

Thought that might be it for a moment or two - when I looked at the settings it was filtered to 1 subscription. However, I changed the filter to All Subscriptions and the Subscription field still shows "Loading..." for 1-2 seconds then says 'No Items'. I logged out and back in to ensure it wasn't related to the session. Still nothing.

0 Likes
Reply
Clive_Watson

‎Oct 24 2023 01:05 AM

‎Oct 24 2023 01:05 AM

Re: Include Additional Entities Detail in Email

@DGMalcolm 

 

It can depend what Subscription you need.  If its the Sentinel Workspace one, that is available as "Dynamic content" - search for "Subscription" in the box that pops up when you click on the Subscription field 

Clive_Watson_0-1698134657519.png

 

0 Likes
Reply
DGMalcolm

‎Nov 07 2023 12:09 PM

‎Nov 07 2023 12:09 PM

Re: Include Additional Entities Detail in Email

@Clive_Watson 

Thank you with for your help with this. It definitely got me a couple steps closer. I still find myself hunting for the options I need. Is there a Logic Apps dev guide or learning resource someplace? I've looked and can only seem to find the standard MS Docs which don't really give me enough detail.

 

TIA

~dgm~

0 Likes
Reply
Clive_Watson

‎Nov 07 2023 02:49 PM

‎Nov 07 2023 02:49 PM

Re: Include Additional Entities Detail in Email

There are loads of resources on Learn (which I think you've seen) especially in the reference section: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview

Pluralsight and Udemy (and others) have courses, but I've not done them so dont have a recommendation.

Module 9 of https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the... will also help - with a video
1 Like
Reply
DGMalcolm

‎Nov 08 2023 06:19 AM

‎Nov 08 2023 06:19 AM

Re: Include Additional Entities Detail in Email

@Clive_Watson 

Once again, thank you for the help. I'll dig around in this and see if there are some answers.

TY

~dgm~

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by DGMalcolm (Iron Contributor)
Clive_Watson

‎Oct 02 2023 02:33 AM

‎Oct 02 2023 02:33 AM

Solution

Re: Include Additional Entities Detail in Email

Two options:

1. You can amend the Playbook to run a new KQL query to do the UPN lookup and geo lookup https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function
2. You can disable the atypical travel alert with an Automation Rule, then write run your own version of Atypical travel with all the enrichments you need and call the playbook from that

View solution in original post

0 Likes
Reply