Entities not correctly displaying in custom alerts in Azure Sentinel

I'mLenny 51 Reputation points
2022-01-25T15:48:22.087+00:00

I have created an alert in Azure Sentinel that will alert me when a user account has recorded an event that has originated outside of my country of of work.

When an incident is created I am able to display the UPN under the "Entites" section in the Incident Summary, but not the location. When I want to view full entity details it does not appear there either.

I have tried mapping it to a few different entities as well as adding a Custom Mapping (Location, Location Key-Value pair) and get the same results - not visible in the Incident Summary nor the Entity full details, which MS Docs suggest should happen.

Is there any reason why I can't query / display this value? I'm wanting to create a Logic App based on this query and unless I can pull the Entity I'm not sure I can create the automation rule.

Code is very similar to the below: 

SigningLogs
| where Location <> "US"
| where isnotempty (Location)
| project UserPrincipalName, Location
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
983 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-01-27T20:16:59.7+00:00

    You can usually find Entities in the SecurityAlert Table - this is an example that looks at the IP entity and gets the CountryCode

    SecurityIncident
    | summarize arg_max(TimeGenerated,) by IncidentNumber
    | extend Alerts = extract("\[(.    ?)\]", 1, tostring(AlertIds))
    | mv-expand AlertIds to typeof(string)
    | join
    (
    SecurityAlert
    | extend AlertEntities = parse_json(Entities)
    | mv-expand AlertEntities
    | where isnotempty(AlertEntities)
    | where AlertEntities.Type == "ip"
    | extend Entity = tostring(AlertEntities.Address)
    | extend CountryCode_ = tostring(parse_json(tostring(AlertEntities.Location)).CountryCode)
    ) on $left.AlertIds == $right.SystemAlertId
    | where isnotempty(CountryCode_)

    0 comments
  2. James Hamil 21,776 Reputation points Microsoft Employee
    2022-02-01T23:46:16.723+00:00

    Hi @I'mLenny , did the answer from CliveWatson help you? As mentioned in my comment above, you can test this with Kusto Explorer. If your question is resolved please mark the appropriate answer as "Verified" so other users may reference it.

    Thank you,
    James

    0 comments
  3. I'mLenny 51 Reputation points
    2022-02-16T12:55:45.39+00:00

    Hello,

    Sorry all I forgot I asked this. I did manage to figure out a work around, so I have not tested anonymous user suggestion to confirm if it works.

    For my solution I extended location to a new variable, and was

    SigninLogs
    | //code
    | extend UserLocation = tostring(Location) //passing Location to its own value to allow us to pass it as an Entity in the Analytics Rule
    | project TimeGenerated, UserPrincipalName, UserLocation

    From there in the was able to map UserLocation to Entity Account / Name and it passed in to the incident summary.

    Not entirely sure why forcing Location (which is a of type String) to a string in a new variable works, but it does.

    0 comments