cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enrich Sentinel Incident Emails

DGMalcolm
Iron Contributor

‎Jan 31 2024 12:45 PM

‎Jan 31 2024 12:45 PM

Enrich Sentinel Incident Emails

Hey there,

I've posted here on this topic before when I didn't even know where to start - (https://techcommunity.microsoft.com/t5/microsoft-sentinel/include-additional-entities-detail-in-emai...). The guidance I got was great and I headed off to explore my options. Since then I've been sidetracked several times and I'm just getting back into this process.

 

The Problem

I use an automation rule to run the "send-email-with-formatted-incident-report" playbook every time an incident is created. Among the details included in the report are the entities associated with the incident. For some incidents, like "Explicit MFA Deny", the entities give enough detail to work with; that incident includes the account as a friendly name and the IP address. With most incidents, the entities don't provide enough details or the right details. The most common issue is that the account is shown as an object id.

 

Attemped Resolutions

So I tried to extend the playbook by doing a KQL query against the SigninLogs table. If I query the table directly, I am able to find the UserName and/or UPN. When I added this query into the playbook, the first issue I had was that most alerts include multiple entities and the query would fail when it ran into the wrong entity type. So I tried adding a new step, "Entities - Get Accounts" so the individual entity would be available in the workflow. But this fails because it's expecting a text string and the object ID is the wrong type.

 

Am I approaching this the wrong way? Do I need to build separate playbooks for various alert sources? Or am I missing something with the process of acquiring the entities in the playbook?

 

TIA,

~dgm~

 

 

 

Labels:
526 Views
0 Likes
3 Replies
Reply
3 Replies
Clive_Watson

‎Feb 02 2024 03:04 AM

‎Feb 02 2024 03:04 AM

Re: Enrich Sentinel Incident Emails

@DGMalcolm 

 

 

Did you try passing the entitles through a For Each?  This is a simple example:

Clive_Watson_1-1706871820545.png

 

 

0 Likes
Reply
DGMalcolm

‎Feb 07 2024 09:24 AM

‎Feb 07 2024 09:24 AM

Re: Enrich Sentinel Incident Emails

@Clive_Watson 

This was fantastic! Thank you very much. I made a bunch of progress since you responded. For a lot of the alerts we get this works perfectly but only if the accounts that I'm acquiring have the friendly name by default. With some alerts, like Atypical Travel, the accounts show as an object ID and those don't show if I use "Entities - Get Accounts". And I don't see anything that allows me to extract the account entities if they're object IDs. Thoughts?

0 Likes
Reply
Clive_Watson

‎Feb 07 2024 10:14 AM

‎Feb 07 2024 10:14 AM

Re: Enrich Sentinel Incident Emails

Typically you will have two choices.

1. You need to either enrich the original alert so that its looks up the Account for Object ID or run a totally custom rule to do that
2. You need to run a query within the playbook to do the same lookup and match as a step before get-entities

A third choice is to call a custom rule
0 Likes
Reply