Forum Discussion

Vshah335's avatar
Vshah335
Copper Contributor
Oct 01, 2020

Visualization Workbooks

Hey Community,    On our Cloud Sentinel env,  i am trying to build workbooks, Under Visualization workbooks create two separate Incidents Column and build on Chart with that Incident.  I would like...
Vshah335's avatar
Vshah335
Copper Contributor
Oct 07, 2020

GaryBushey 

 

SecurityIncident
| extend ProductName = parse_json(AdditionalData, ProductNames.owner)
| mv-expand AdditionalData = " email " 

 

Or 

SecurityIncident
| extend ProductName = parse_json(AdditionalData, ProductNames.owner)
| where AdditionalData = " email " 

 

I am running both query, but throw me error.  Any Idea ? 

GaryBushey's avatar
GaryBushey
Bronze Contributor
Oct 07, 2020

Vshah335 Needs to be more like

 

SecurityIncident
|extend ProductName = parse_json(AdditionalData)
| project ProductName.alertProductNames
 
where "alertProductNames" is an entry that inside of the AdditionalData field.
  • Vshah335's avatar
    Vshah335
    Copper Contributor
    Oct 16, 2020

    CliveWatson 

    Thanks a lot. I got output. 

  • CliveWatson's avatar
    CliveWatson
    Former Employee
    Oct 14, 2020

    Vshah335 

    Have you tried this?  Also I don't see the screenshot you said you supplied.

     

    SecurityIncident
| extend  assignedTo_ = tostring(Owner.assignedTo),
                        userPrincipalName_ = tostring(Owner.userPrincipalName),
                        email_ = tostring(Owner.email)
| where isnotempty (assignedTo_)
| project assignedTo_, userPrincipalName_, email_

     

    An example I use:

    SecurityIncident
| where TimeGenerated > ago(7d)
| summarize arg_max(LastModifiedTime,*) by tostring(IncidentNumber)
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
) on $left.AlertIds == $right.SystemAlertId
| summarize AlertCount=dcount(AlertIds),
            entityList=make_set(tostring(AlertEntities.Type)) by IncidentNumber,
            Status,
            Title,
            Alerts,
            IncidentUrl,
            Owner=tostring(Owner.userPrincipalName),
            assignedTo = tostring(Owner.assignedTo),
            email = tostring(Owner.email),
            product = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0]),
            Tactics =tostring(AdditionalData.tactics)
| project IncidentNumber, Status, AlertCount,Owner, assignedTo, email,  product, Title, Alerts, entityList, Tactics, IncidentUrl
| order by IncidentNumber desc

     

  • Vshah335's avatar
    Vshah335
    Copper Contributor
    Oct 13, 2020
    Hey GaryBushey 



    I attached screen shot for need to Pharse down field called "Owner"



    there are  more elemnets,  "Assign to" Userprinciplename" ,  " Object ID" 

    I tried  Query u provided earlier, but won't get results what we need. 

    (Output only need on OWNER coloum  "AssignTO " ) 



    I hope you understand my question. 

Resources