Parse ExtendedProperty in Azure Sentinel alert for Logic App use

I got a few questions from readers about processing data in ExtendedProperties in alert data. They didn’t want to send a full JSON format. Instead they wanted to extract piece of information from helpful field like ExtendedProperties to compose a friendly format email.

In this article, let’s explore Parse JSON action in Azure Logic App to help extract some information from ExtendedProperties field in SecurityAlert table.

Pre-requisites

There are a few pre-requisites to follow this article:

  • Basic knowledge of using Azure Logic App with dynamic content as well as to send email. You can follow this step-by-step guidance to ramp up.
  • Basic knowledge of SecurityAlert table that stores alert from Azure Security Center, Azure Sentinel or so on.

Parse JSON action

Let’s pick a sample alert from SecurityAlert table. Below is the sample ExtendedProperties:

{
  "Attackers": "[\"IP Address: 31.169.31.94\"]",
  "Number of failed authentication attempts to host": "206",
  "Accounts used on failed sign in to host attempts": "[\"root\"]",
  "Was SSH session initiated": "No",
  "End Time UTC": "01/12/2020 23:59:58",
  "ActionTaken": "Detected",
  "resourceType": "Virtual Machine"
}

ExtendedProperties is an imperative field that tells you a lot of things. Different alert type would provide different information. In this article, I picked a Failed SSH brute-force attack.

Our target is to parse ExtendProperties json format before adding each parsed field into email. That said, we do need an action between Azure Sentinel trigger and Send email action.

In Parse JSON action, add ExtendedProperties to Content field.  Schema is very important. It tells you how your payload looks like so the Parse JSON action can parse correctly.

{
    "type": "object",
    "properties": {
        "Attackers": {
            "type": "string"
        },
        "Number of failed authentication attempts to host": {
            "type": "string"
        },
        "Accounts used on failed sign in to host attempts": {
            "type": "string"
        },
        "Was SSH session initiated": {
            "type": "string"
        },
        "End Time UTC": {
            "type": "string"
        },
        "ActionTaken": {
            "type": "string"
        },
        "resourceType": {
            "type": "string"
        }
    }
}

Now you can add each field to your email in Send email action.

<p>Hello AzSec,</p>
<p>You have an incident from Azure Sentinel. Below is information:</p>
<ul>
<li><strong>Alert Name:&nbsp;</strong>az</li>
<li><strong>Description</strong>: az</li>
<li><strong>Severity</strong>: az</li>
<li><strong>Resource Group</strong>: az</li>
<li><strong>Start Time</strong>: az</li>
<li><strong>End Time</strong>: az</li>
<li><strong>Attackers</strong>: az</li>
<li><strong>Number of failed authentication attempts to host</strong>: az</li>
<li><strong>Accounts used on failed sign in to host attempts</strong>: az</li>
<li><span style="color: #ff0000;"><strong>Was SSH session initiated</strong></span>: az</li>
</ul>
<p>Please review and let us know whether this incident is false positive.</p>
<p>AzSec Team</p>
<div>&nbsp;</div>

When you add email body, look into parsed field under Parse JSON

Save and Run your new playbook. Go to Azure Sentinel incident page and pick a Failed SSH brute-force attack case then trigger the newly created playbook. Your email should look like the one below:

This article simply shows you how powerful Parse JSON is as well as a use case to use with Azure Sentinel alert. If you want to handle for every alert type you will need more playbooks, or use Switch and Condition.

Stay tuned and subscribe AzSec blog for more tips coming!

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

7 Responses to Parse ExtendedProperty in Azure Sentinel alert for Logic App use

  1. Pingback: Notify Azure Sentinel alert to your email automatically

  2. vip12 says:

    Please tell how the data (eg attackers, number of failed authentication attemts to host, etc.) get into the ExtendedProperties field? Could you introduce the full text of the Failed SSH brute-force attack rule? Tnx!

    • azsec says:

      Hi vip12,

      The data is handled from Microsoft internally which we don’t know. If you write ASC alert to log you will see ExtendedProperties field in log body.

      I don’t understand what you mean by full text of Failed SSH brute-force attack rule. This rule comes from Azure Security Center and Microsoft hasn’t really told us signature of the rule.

  3. Pingback: Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

  4. Samuel says:

    Hi,

    Thanks for the very informative process which i have followed.

    However i am unable to see the the extracted information in my email after extracting the needed info and added to the body of email.

    I created a custom analytic rule to monitor changes in AWS instance and also set email alert to notify of any changes observed on all running instances. Changes such as RunInstances”, “TerminateInstances”, ” AttachInstances”, “StopIntances”, “StartInstances”, “CreateInstances.

    Can i also ask how you were able to view this extended properties for the security alert you selected as an example

    “Attackers”: “[\”IP Address: 31.169.31.94\”]”,
    “Number of failed authentication attempts to host”: “206”,
    “Accounts used on failed sign in to host attempts”: “[\”root\”]”,
    “Was SSH session initiated”: “No”,
    “End Time UTC”: “01/12/2020 23:59:58”,
    “ActionTaken”: “Detected”,
    “resourceType”: “Virtual Machine”

    My schema –

    {
    “properties”: {
    “AWSRegion”: {
    “type”: “string”
    },
    “EventName”: {
    “type”: “string”
    },
    “EventSource”: {
    “type”: “string”
    },
    “InstanceId”: {
    “type”: “string”
    },
    “ResponseElements”: {
    “type”: “string”
    },
    “SourceIpAddress”: {
    “type”: “string”
    },
    “User”: {
    “type”: “string”
    },
    “UserAgent”: {
    “type”: “string”
    },
    “UserIdentityAcountId”: {
    “type”: “string”
    },
    “UserIdentityPrincipalid”: {
    “type”: “string”
    },
    “UserIdentityType”: {
    “type”: “string”
    },
    “arn”: {
    “type”: “string”
    }
    }
    }

    My Analystics query is :

    let timeframe = 1d;
    let EventNameList = dynamic([“RunInstances”, “TerminateInstances”, ” AttachInstances”, “StopIntances”, “StartInstances”, “CreateInstances”]);
    AWSCloudTrail
    | where TimeGenerated >= ago(timeframe)
    | where EventName in~ (EventNameList)
    | extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)
    | summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
    by EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,
    AdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements
    | extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress
    | extend FileHashCustomEntity = UserIdentityType
    | extend URLCustomEntity = UserIdentityPrincipalid
    | extend HostCustomEntity = EventName

    My email notification currently looks like this with no extended property information pulling through

    Hello,

    You have an incident from Azure Sentinel. Kindly see below information.

    Alert Type:Changes to AWS Instances

    Description:To report changes observed on all running instances. Changes such as RunInstances”, “TerminateInstances”, ” AttachInstances”, “StopIntances”, “StartInstances”, “CreateInstances

    Severity:Medium

    Resource Group:

    Start Time:2020-11-03T12:59:08Z

    Time Generated:2020-11-04T13:04:11Z

    User:
    Event Name:
    Event Source:
    Account ID:
    Response Elements:
    AWS Region:
    User Agent:
    User Identiity Type:
    Instance Id:
    Principal Id:
    Source Ip:
    ARN:

    You assistance would be much appreciated.

    Sam

  5. Smart-Cookie says:

    Hey, thanks for the article!

    There is one thing I don’t understand. How did you get the “SecurityAlert table. Below is the sample ExtendedProperties:”? The one you mentioned in the very beginning?

    Since I do not have that data, my results from the parse are empty, and I am not sure how can I solve that issue?

    PS: Is there a way to add “Entity” but just the name of the user? Because “Compromised User” does not seems to work for me 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *