Incomplete Entity Information in Incident Automation Rule?

Question

We have an analytics rule that merges reports from our malware detection software - it frequently reports several files for the same host as malicious at once, and we use alert grouping to only create a single incident for this. This works wonderfully, but it means that we have more than one file / hash entity associated with a single incident. This is displayed fine in the frontend and seems to work as intended.

However, if we then build a playbook with incident trigger, the incident object (down to the level of the JSON representation) only contains a single entity of each type (one file, one hash, even if five of each are present).

Since we want to send email notifications containing all the file paths and hashes, this is insufficient. Is there any way to get access to the complete data?

Answer 1

I agree the incident trigger is too early in the process. I think there may be an option to add a delay or wait. Maybe that will give time for the alert data to be collected.

Have you considered using Event Grouping under the Rule Logic to create a new alert for each row returned. The alerts would still be grouped by incident. You could then use an alert-based trigger (rather than an alert rule) to trigger a response on each individual IOC.

You may be able to loop through the events related to an incident ID to add the IOCs to a variable or table.

You could also log the IOCs to a file or custom table with the main logic app. Then a secondary logic app could report on the collected IOCs on a schedule.