Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

RE: How you extract 'Incident ARM ID' from a KQL query to be used in a Logic App

Brass Contributor

Hello,

 

Can the Security Incident ID be extracted from the SecurityIncident table and used as a property or Entity value in a workflow action of a Logic App, such as 'Update Incident'? See the below image...

What is the actual structure of the Incident ARM ID? Is it the 'IncidentNumber' from the table, OR do you have to parse it from the property 'IncidentUrl'?

 

JMSHW0420_2-1679667996367.png

 

 

 

 

6 Replies
best response confirmed by Rod_Trent (Microsoft)
Solution

@JMSHW0420 It comes from the system assigned Incident ID, the same ID that's included on the URL for the Incident in the browser. In the SecurityIncident table it's in the IncidentName data column.

 

incidentname.jpg

Thanks for replying, @Rod_Trent. Much appreciated.

So, I am running part of the following query in an analytics rule. So passing the IncidentName will basically 'map' to the value of 'Incident ARM ID' in the action of 'Update Incident' in a Logic App?

//Test on Security Incident Properties related to a Security Alert
SecurityAlert
| where TimeGenerated between (ago(7d) ..now())
| where AlertName == "Non-Compliant Device Detected"
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| mv-expand Entities
| extend id_ = tostring(Entities.["$id"]),
DeviceName = tostring(Entities.HostName)
| summarize arg_max(TimeGenerated,*) by SystemAlertId
| join (
SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
) on $left.SystemAlertId == $right.AlertIds
| project IncidentName, IncidentNumber, AlertName

IF the above query returns multiple rows of data (E.G. 6 related Incidents), can I assume the Logic App can parse the data using the 'Parse JSON' and perform some form of For...Loop?

Essentially, I want to 'Update' each Incident and change the Severity level...
Hi @Rod_Trent, so passing the IncidentName will basically 'map' to the value of 'Incident ARM ID' in the action of 'Update Incident' in a Logic App?
1 best response

Accepted Solutions
best response confirmed by Rod_Trent (Microsoft)
Solution

@JMSHW0420 It comes from the system assigned Incident ID, the same ID that's included on the URL for the Incident in the browser. In the SecurityIncident table it's in the IncidentName data column.

 

incidentname.jpg

View solution in original post