Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sentinel: IPCustomEntity missing from Graph security alerts

Copper Contributor

First post, so: hi all!

 

I need to be able to query Sentinel incidents programatically for further processing but noticed that not all entities are available when querying through Graph.

 

My query gets user, host and source IP from the results:

| extend AccountCustomEntity = user
| extend HostCustomEntity = host_s
| extend IPCustomEntity = tostring(sourceip)

And the IP addresses show up in the web interface. If I perform a query against https://graph.microsoft.com/v1.0/security/alerts I get all the Sentinel incidents but the IP address is missing from the response:

 

{'id': '...', 'azureTenantId': '...', 'azureSubscriptionId': '...', 'riskScore': None, 'tags': [], 'activityGroupName': None, 'assignedTo': None, 'category': '...', 'closedDateTime': None, 'comments': [], 'confidence': None, 'createdDateTime': '2020-01-29T13:50:07.4965087Z', 'description': '...', 'detectionIds': [], 'eventDateTime': '2020-01-29T13:35:06.725Z', 'feedback': None, 'lastModifiedDateTime': '2020-01-29T13:50:07.5670528Z', 'recommendedActions': [], 'severity': 'medium', 'sourceMaterials': [], 'status': 'newAlert', 'title': '...', 'vendorInformation': {'provider': 'Azure Sentinel', 'providerVersion': None, 'subProvider': None, 'vendor': 'Microsoft'}, 'cloudAppStates': [], 'fileStates': [], 'hostStates': [{'fqdn': None, 'isAzureAdJoined': None, 'isAzureAdRegistered': None, 'isHybridAzureDomainJoined': None, 'netBiosName': 'mypc', 'os': None, 'privateIpAddress': None, 'publicIpAddress': None, 'riskScore': None}, {'fqdn': None, 'isAzureAdJoined': None, 'isAzureAdRegistered': None, 'isHybridAzureDomainJoined': None, 'netBiosName': 'mypc', 'os': None, 'privateIpAddress': None, 'publicIpAddress': None, 'riskScore': None}], 'historyStates': [], 'malwareStates': [], 'networkConnections': [], 'processes': [], 'registryKeyStates': [], 'triggers': [], 'userStates': [{'aadUserId': None, 'accountName': 'myuser', 'domainName': None, 'emailRole': 'unknown', 'isVpn': None, 'logonDateTime': None, 'logonId': None, 'logonIp': None, 'logonLocation': None, 'logonType': None, 'onPremisesSecurityIdentifier': None, 'riskScore': None, 'userAccountType': None, 'userPrincipalName': 'myuser'}, {'aadUserId': None, 'accountName': 'myuser', 'domainName': None, 'emailRole': 'unknown', 'isVpn': None, 'logonDateTime': None, 'logonId': None, 'logonIp': None, 'logonLocation': None, 'logonType': None, 'onPremisesSecurityIdentifier': None, 'riskScore': None, 'userAccountType': None, 'userPrincipalName': 'myuser'}], 'vulnerabilityStates': []}

 

I would expect the IP address to be in one of the IP related fields but it is not. Am I missing something obvious?

2 Replies

@rogierg Depending on what you need to do with the information, you can use the Azure Sentinel REST API calls to get the information.

 

There are a couple of blog posts out there on how to use it including mine on using PowerShell here https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/

 

Since it is a REST call, you should be able to do it in your preferred language.

@Gary Bushey: thanks for your response. This information is not in the Sentinel REST API:

{"title":"CEF test","description":"","severity":"Medium","status":"New","labels":[],"endTimeUtc":"2020-01-31T10:06:18.027Z","startTimeUtc":"2020-01-31T09:27:14.243Z","owner":{"objectId":null,"email":null,"name":null},"lastUpdatedTimeUtc":"2020-02-03T12:50:03Z","createdTimeUtc":"2020-02-03T12:50:03.9258785Z","relatedAlertIds":["..."],"relatedAlertProductNames":["Azure Sentinel"],"caseNumber":6171,"totalComments":0,"metrics":{"SecurityAlert":1},"firstAlertTimeGenerated":"2020-02-03T12:50:03.0676935Z","lastAlertTimeGenerated":"2020-02-03T12:50:03.0676935Z"}},{"id":"/subscriptions/.../resourceGroups/.../providers/Microsoft.OperationalInsights/workspaces/.../providers/Microsoft.SecurityInsights/Cases/...","name":"...","etag":"\\"...\\"","type":"Microsoft.SecurityInsights/Cases","properties":{"title":"CEF test","description":"","severity":"Medium","status":"New","labels":[],"endTimeUtc":"2020-01-31T10:06:18.027Z","startTimeUtc":"2020-01-31T09:27:14.243Z","owner":{"objectId":null,"email":null,"name":null},"lastUpdatedTimeUtc":"2020-02-03T12:49:53Z","createdTimeUtc":"2020-02-03T12:49:53.5068612Z","relatedAlertIds":["..."],"relatedAlertProductNames":["Azure Sentinel"],"caseNumber":6170,"totalComments":0,"metrics":{"SecurityAlert":1},"firstAlertTimeGenerated":"2020-02-03T12:49:52.6768191Z","lastAlertTimeGenerated":"2020-02-03T12:49:52.6768191Z"}}

I was able to get the entities by performing a query against the log analytics API but this is not ideal:

SecurityAlert | where SystemAlertId == '" + systemalertid + "' | project Entities

Another thing I tried is to send logs in CEF format to sentinel. The information then shows up in CommonSecurityLog (and I could then query it like above) but not in the Sentinel REST API.

 

Any idea why?