cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more
SOLVED

Sentinnel Entity Mapping Issue

SentinnelCMAN
New Contributor

‎Dec 31 2021 10:35 AM

‎Dec 31 2021 10:35 AM

Sentinnel Entity Mapping Issue

am writing an analytic rule for sentinel for activity captured on a Windows 10 Pro VM corresponding to a Windows Event ID from Event Viewer. For the entities on the alert rule I have the Host which is the windows 10 VM as well as a field for the account name that initiated the action. However, when the alert fired only the host name appears and not the user account. I used a KQL query to project the account name and the field comes up as empty in the Logs as well. The only place I see the username is when I look at the EventData field in the logs and it is under the SubjectUserName. Is there anyway to utilze categories from the EventData Field in Sentinnel Logs in an analytic rule?

Labels:
743 Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by SentinnelCMAN (New Contributor)
m_zorich

‎Dec 31 2021 05:32 PM

‎Dec 31 2021 05:32 PM

Solution

Re: Sentinnel Entity Mapping Issue

Yep you will need to use the parse operator to take the field you want out of your EventData

Not exactly sure what EventID you are after (feel free to post an example of the EventData), but an example of parsing EventData is as follows

SecurityEvent
| parse EventData with * '<Data Name="SubjectUserName">' User '</Data>' *

Add that to your query and it will create you a new column called 'User' from everything between <Data Name="SubjectUserName"> and '</Data>' and you can then map it to an entity in your analytic rule.

I did a little guide to using parse and split on my GitHub if you are interested - https://github.com/reprise99/Sentinel-Queries#parse-and-split-basics

1 Like
Reply
SentinnelCMAN

‎Dec 31 2021 07:07 PM

‎Dec 31 2021 07:07 PM

Re: Sentinnel Entity Mapping Issue

Thank you so much! It works!
0 Likes
Reply
SentinnelCMAN

‎Jan 15 2022 11:16 AM - edited ‎Jan 15 2022 11:27 AM

‎Jan 15 2022 11:16 AM - edited ‎Jan 15 2022 11:27 AM

Re: Sentinnel Entity Mapping Issue

Had a follow up question. Would parse would work on a particular part of an Eventdata field?. For instance in Event data for the query Im writing one of the categories is TaskContent . There is alot of info there but i only want this piece "<Exec> <Command>"C:\Program Files (x86)\Internet Explorer\iexplore.exe" How would set it to only pull this from the TaskContent field and nothing else? I have attached the screenshot of the eventdata.

Preview file
308 KB
0 Likes
Reply
m_zorich

‎Jan 15 2022 01:53 PM

‎Jan 15 2022 01:53 PM

Re: Sentinnel Entity Mapping Issue

Yep parse will work on that, you can use parse multiple times as well, the key is just telling parse what is at the start and end of the data you are after.

| parse EventData with * 'Command>"' CommandRun '</Command>' *

That will create you new column called CommandRun with everything between Command> and </Command>
0 Likes
Reply
SentinnelCMAN

‎Jan 16 2022 09:54 AM

‎Jan 16 2022 09:54 AM

Re: Sentinnel Entity Mapping Issue

@m_zorich 

I see. I tried this and later realized the XML in Event Viewer that I attached earlier and the XML in The Sentinel logs are slightly different. as opposed to "<Exec> <Command>"C:\Program Files (x86)\Internet Explorer\iexplore.exe" shown in event viewer the same info within the TaskContent field in sentinel is &lt;Command&gt;"C:\Program Files (x86)\Internet Explorer\iexplore.exe" &lt;/Command&gt
Per your logic i tried the following (see attached picture).

 

Is there something i'm missing?

Preview file
3 KB
0 Likes
Reply