Join Sentinel Entity Json in Logicapp

Karthick G 101 Reputation points
2022-08-14T05:42:36.047+00:00

Sentinel alert Entity output in Logicapp is in below format

[
{
"$id": "3",
"Name": “randamuser1”,
"Type": "account"
},
{
"$id": "4",
"Name": "randamuser2”,
"Type": "account"
},

{
"$id": "6",
"HostName": “hostofuser1”,
"Type": "host"
},
{
"$id": "7",
"HostName": “hostofuser2,
"Type": "host"
},
]

i wanted to map Name & Hostname in same json block, how to achieve it.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,816 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
968 questions
{count} votes

2 answers

Sort by: Most helpful
  1. David Broggy 5,681 Reputation points MVP
    2022-08-14T13:40:52.793+00:00

    Hi Karthick,

    Those entities likely won't map the way you'd like given your analytic rule.

    However if you play with your kql you could create a concatenated value and map that to an identifier. (I use strcat frequently)

    The other option is to add a log analytics query to your logic app and pull out the 2 fields that way, but I'd do it as in the first suggestion.

    Hope that helps.

    reference:
    strcatfunction

    0 comments No comments

  2. MayankBargali-MSFT 67,986 Reputation points
    2022-08-18T04:54:50.56+00:00

    @Karthick G Thanks for reaching out. Unfortunately, you cannot format the data at the logic app end as there is no relation or way to distinguish which user account will be mapped to which user host in case if you want to format it at the logic app end either using inline code or using different action such as foreach, conditions etc. as I don't see any relationship that would help in processing it further at the logic app end.

    Alternative as David has mentioned I will suggest you to only pull the required fields as per your business needs.

    0 comments No comments