question

KarthickG avatar image
0 Votes"
KarthickG asked MayankBargali-MSFT answered

Join Sentinel Entity Json in Logicapp

Sentinel alert Entity output in Logicapp is in below format

[
{
"$id": "3",
"Name": “randamuser1”,
"Type": "account"
},
{
"$id": "4",
"Name": "randamuser2”,
"Type": "account"
},

{
"$id": "6",
"HostName": “hostofuser1”,
"Type": "host"
},
{
"$id": "7",
"HostName": “hostofuser2,
"Type": "host"
},
]

i wanted to map Name & Hostname in same json block, how to achieve it.

azure-logic-appsmicrosoft-sentinel
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @KarthickG ,

Welcome to Microsoft Q&A Platform. Thank you for the question.

Could you please share the correct input and output (expected) json file, because seems above sample is not correct. It has object 'Name' and 'HostName'.

Regards,
Kamlesh Kumar


Please don't forget to click on 205836-130616-image.png or upvote 205759-130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is How

Want a reminder to come back and check responses? Here is how to subscribe to a Notification

If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators


0 Votes 0 ·

In logicapp when i invoke Microsoft Sentinel Alert the Entites are displayed in below format in am trying get username and devicename

[
{
"$id": "3",
"Name": “randamuser1”,
"Type": "account"
},
{
"$id": "4",
"Name": "randamuser2”,
"Type": "account"
},

{
"$id": "6",
"HostName": “hostofuser1”,
"Type": "host"
},
{
"$id": "7",
"HostName": “hostofuser2,
"Type": "host"
},
]

my expected output is

{
"Name": “randamuser1”,
"HostName": “hostofuser1”
}

{
"Name": "randamuser2”,
"HostName": “hostofuser2,
}

so that i can build a html table in below format

Name hostname
randamuser1 hostofuser1
randamuser2 hostofuser2

0 Votes 0 ·

If you see the source array data, 1st & 2nd list has Name object but 3rd and 4th doesn't have the Name though have HostName. Could you please confirm if source data is correct?

 [
     {
         "$id": "3",
         "Name": "randamuser1",
         "Type": "account"
     },
     {
         "$id": "4",
         "Name": "randamuser2",
         "Type": "account"
     },
     {
         "$id": "6",
         "HostName": "hostofuser1",
         "Type": "host"
     },
     {
         "$id": "7",
         "HostName": "hostofuser2",
         "Type": "host"
     }
 ]


0 Votes 0 ·

Yes the values are correct thats how it is being retrieved from Sentinel alert. Image for you reference.

231071-screen-shot-2022-08-14-at-183047.png


0 Votes 0 ·
DavidBroggy-5270 avatar image
0 Votes"
DavidBroggy-5270 answered

Hi Karthick,

Those entities likely won't map the way you'd like given your analytic rule.

However if you play with your kql you could create a concatenated value and map that to an identifier. (I use strcat frequently)

The other option is to add a log analytics query to your logic app and pull out the 2 fields that way, but I'd do it as in the first suggestion.

Hope that helps.

reference:
strcatfunction


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered

@KarthickG Thanks for reaching out. Unfortunately, you cannot format the data at the logic app end as there is no relation or way to distinguish which user account will be mapped to which user host in case if you want to format it at the logic app end either using inline code or using different action such as foreach, conditions etc. as I don't see any relationship that would help in processing it further at the logic app end.

Alternative as David has mentioned I will suggest you to only pull the required fields as per your business needs.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.