Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Visualization Workbooks

Copper Contributor

Hey Community, 

 

On our Cloud Sentinel env,  i am trying to build workbooks, Under Visualization workbooks create two separate Incidents Column and build on Chart with that Incident.  I would like to display incident from separate work-spaces in Separate column. 

 

Query : 

SecurityIncident

| take 20 

Under Visualization DEMO  workbooks, 

On that All alerts generated on sentinel displays under output column. But we need to separate both core alert and outside org alert.  

10 Replies

@Vshah335 If I understand what you are asking for, you want to be able to have one column for those incidents created by Azure Sentinel and another for those created by other Azure security products like Microsoft Cloud App Security.

 

To do this, you need to get to the actual product creation which is hidden in the AdditionalData field and is called "alertProductNames".  For some reason this is stored as a JSON array so need to extract that value and then expand it like this:

 

SecurityIncident
| extend ProductName = (parse_json(AdditionalData).alertProductNames)
| mv-expand ProductName
 
You can then use the ProductName field to determine who generated the incident.

Thanks Gary Bushey @Gary Bushey 

 

I applied that Value under field name and it's works. 

 

@Gary Bushey  Do you have workbooks visualization template(not in-build in workbooks ) ? For only for Security Incident query. Just want to explore my self into it. 

 

 

@Vshah335 The only one I have is the one that comes with Azure Sentinel.

@Gary Bushey 

 

SecurityIncident
| extend ProductName = (parse_json(AdditionalData).alertProductNames)
| mv-expand ProductName
 
On Above Query U provided earlier , In that there is Field(Colum) called 'Owner'
Question - 
Here, Is it possible only shows 'UserprincipalName' or 'AssignedTO'  Or ' Email' .  Only Need One Field.  Can you please provide updated query? 
{"userPrincipalName":null,"assignedTo":null,"objectId":null,"email":null}
 
Again, thanks in Advance.

@Vshah335 In the query below, you can then use ProductName.alertProductNames or ProductName.Owner or any other entry that is part of the AdditionalData field to get its data.

 

SecurityIncident
| extend ProductName = parse_json(AdditionalData)

@Gary Bushey 

 

SecurityIncident
| extend ProductName = parse_json(AdditionalData, ProductNames.owner)
| mv-expand AdditionalData = " email " 

 

Or 

SecurityIncident
| extend ProductName = parse_json(AdditionalData, ProductNames.owner)
| where AdditionalData = " email " 

 

I am running both query, but throw me error.  Any Idea ? 

@Vshah335 Needs to be more like

 

SecurityIncident
|extend ProductName = parse_json(AdditionalData)
| project ProductName.alertProductNames
 
where "alertProductNames" is an entry that inside of the AdditionalData field.
Hey @Gary Bushey 



I attached screen shot for need to Pharse down field called "Owner"



there are  more elemnets,  "Assign to" Userprinciplename" ,  " Object ID" 

I tried  Query u provided earlier, but won't get results what we need. 

(Output only need on OWNER coloum  "AssignTO " ) 



I hope you understand my question. 

@Vshah335 

Have you tried this?  Also I don't see the screenshot you said you supplied.

 

SecurityIncident
| extend  assignedTo_ = tostring(Owner.assignedTo),
                        userPrincipalName_ = tostring(Owner.userPrincipalName),
                        email_ = tostring(Owner.email)
| where isnotempty (assignedTo_)
| project assignedTo_, userPrincipalName_, email_

 

An example I use:

SecurityIncident
| where TimeGenerated > ago(7d)
| summarize arg_max(LastModifiedTime,*) by tostring(IncidentNumber)
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
) on $left.AlertIds == $right.SystemAlertId
| summarize AlertCount=dcount(AlertIds),
            entityList=make_set(tostring(AlertEntities.Type)) by IncidentNumber,
            Status,
            Title,
            Alerts,
            IncidentUrl,
            Owner=tostring(Owner.userPrincipalName),
            assignedTo = tostring(Owner.assignedTo),
            email = tostring(Owner.email),
            product = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0]),
            Tactics =tostring(AdditionalData.tactics)
| project IncidentNumber, Status, AlertCount,Owner, assignedTo, email,  product, Title, Alerts, entityList, Tactics, IncidentUrl
| order by IncidentNumber desc

 

Screenshot 2020-10-14 085658.jpg

@CliveWatson 

Thanks a lot. I got output.