How to enrich data available in ASIM parser using custom data source?

Nirali Shah 146 Reputation points
2023-04-18T09:37:33.1366667+00:00

We have one use case of Alert enrichment in which we need to enrich alerts of other data sources available in Microsoft Sentinel with our custom data source.
For that we have created anlaytic rules based on ASIM parser to generate an incident when IP, Domain, Hash, Url, Hostname are available in that particular ASIM parser table.
We have created a playbook which is triggered by an incident generated by above mentioned analytic rule. In this playbook, we are calling our custom data source API using detail like IP, Domain, Hash, Url, Hostname on which incident is generated and adding data as comment to an incident with proper format if found from custom data source API.
Can you please let us know that approach for Alert Enrichment used by us is proper or not? Also can you suggest any other way to achieve the same usecase?
Here I am attaching a screenshot to explain our workflow for your reference. image (1)

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
996 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Clive Watson 5,721 Reputation points MVP
    2023-04-18T09:58:31.44+00:00

    I suspect that is how many people do enrichments. I might suggest you put in an automation rule that calls the Playbook (if you dont already) as that often makes the assignment of new Rules easier (and the duration settings help for testing and tagging).

    0 comments No comments

  2. Andrew Blumhardt 9,576 Reputation points Microsoft Employee
    2023-04-18T15:38:06.56+00:00

    You could ingest this custom data source that you are using for enrichment. Either to a custom table or watchlist. You could also ingest as TI indicators if appropriate. If that data does not to be obscured from the Sentinel operator. Then you could include that data as part of the alert query as a union or join. Maybe surfacing as a custom detail mapping or tag. That would eliminate the reoccurring logic app cost and could make the enrichment more visible.

    0 comments No comments