Share via

How to get Entities related to a SecurityIncident?

Meenal Luktuke 1 Reputation point
2022-10-07T06:16:40.217+00:00

Hi,

Earlier the SecurityIncident schema used to show the entities for that incident but now we don't get that in the schema? Is there a new table/mapping created? How do I get the entity information for an incident thru KQL?

Microsoft Security | Microsoft Sentinel
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. George Moise 2,361 Reputation points Microsoft Employee
    2022-10-07T11:54:52.937+00:00

    Hello @Meenal Luktuke ,

    Indeed, the Entities property is not part of the SecurityIncident datatype (table) now.

    You can Query your SecurityIncident table to find the required incident, and then you can find there the property called - AlertIds
    Then you can use that to join on the SecurityAlert table to find those records and in that table you will have the Entities field as the entities are mapped to an Alert in Sentinel (the Incident is a container of Alerts and other evidence data).

    Here's a query that you could use to test this:

    248551-kusto.txt 

    SecurityIncident  
| where IncidentNumber == xxxxxx  
| summarize arg_max(TimeGenerated, *) by IncidentNumber  
| extend Owner = Owner.assignedTo  
| project IncidentNumber, Title, Severity, Status,Owner, AlertIds  
| mv-expand AlertIds  
| extend AlertId = tostring(AlertIds)  
| join SecurityAlert on $left.AlertId == $right.SystemAlertId  
| extend CustomDetails = todynamic(ExtendedProperties).["Custom Details"]  
| project IncidentNumber,Title, Severity, Owner, Status, AlertId, Entities, CustomDetails

    I hope that the above helps. If so, please select Accept as an Answer.
    Thank you!
    BR,
    George

    2 people found this answer helpful.
    0 comments
  2. Clive Watson 7,866 Reputation points MVP Volunteer Moderator
    2022-10-07T12:06:54.357+00:00

    Hello, SecurityAlert is the table that holds the Entity information not SecurityIncident

    SecurityAlert
    | extend Type_ = tostring(parse_json(Entities)[0].Type)
    | summarize count() by Type_

    You can link the two together 

    SecurityIncident  
| summarize arg_max(TimeGenerated,*) by IncidentNumber  
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))  
| mv-expand AlertIds to typeof(string)  
| join   
(  
    SecurityAlert  
    | extend AlertEntities = parse_json(Entities)  
    | mv-expand AlertEntities   
    | where isnotempty(AlertEntities)  
) on $left.AlertIds == $right.SystemAlertId  
| project IncidntName = Title, IncidentNumber=IncidentNumber,AlertName = AlertName, AlertEntities

    248459-image.png

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.