Parse ExtendedProperty in Azure Sentinel alert for Logic App use

I got a few questions from readers about processing data in ExtendedProperties in alert data. They didn’t want to send a full JSON format. Instead they wanted to extract piece of information from helpful field like ExtendedProperties to compose a friendly format email.

In this article, let’s explore Parse JSON action in Azure Logic App to help extract some information from ExtendedProperties field in SecurityAlert table.

Pre-requisites

There are a few pre-requisites to follow this article:

  • Basic knowledge of using Azure Logic App with dynamic content as well as to send email. You can follow this step-by-step guidance to ramp up.
  • Basic knowledge of SecurityAlert table that stores alert from Azure Security Center, Azure Sentinel or so on.

Parse JSON action

Let’s pick a sample alert from SecurityAlert table. Below is the sample ExtendedProperties:

ExtendedProperties is an imperative field that tells you a lot of things. Different alert type would provide different information. In this article, I picked a Failed SSH brute-force attack.

Our target is to parse ExtendProperties json format before adding each parsed field into email. That said, we do need an action between Azure Sentinel trigger and Send email action.

In Parse JSON action, add ExtendedProperties to Content field.  Schema is very important. It tells you how your payload looks like so the Parse JSON action can parse correctly.

Now you can add each field to your email in Send email action.

When you add email body, look into parsed field under Parse JSON

Save and Run your new playbook. Go to Azure Sentinel incident page and pick a Failed SSH brute-force attack case then trigger the newly created playbook. Your email should look like the one below:

This article simply shows you how powerful Parse JSON is as well as a use case to use with Azure Sentinel alert. If you want to handle for every alert type you will need more playbooks, or use Switch and Condition.

Stay tuned and subscribe AzSec blog for more tips coming!

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

1 Response to Parse ExtendedProperty in Azure Sentinel alert for Logic App use

  1. Pingback: Notify Azure Sentinel alert to your email automatically

Leave a Reply