Parse ExtendedProperty in Azure Sentinel alert for Logic App use

I got a few questions from readers about processing data in ExtendedProperties in alert data. They didn’t want to send a full JSON format. Instead they wanted to extract piece of information from helpful field like ExtendedProperties to compose a friendly format email.

In this article, let’s explore Parse JSON action in Azure Logic App to help extract some information from ExtendedProperties field in SecurityAlert table.

Pre-requisites

There are a few pre-requisites to follow this article:

  • Basic knowledge of using Azure Logic App with dynamic content as well as to send email. You can follow this step-by-step guidance to ramp up.
  • Basic knowledge of SecurityAlert table that stores alert from Azure Security Center, Azure Sentinel or so on.

Parse JSON action

Let’s pick a sample alert from SecurityAlert table. Below is the sample ExtendedProperties:

{
  "Attackers": "[\"IP Address: 31.169.31.94\"]",
  "Number of failed authentication attempts to host": "206",
  "Accounts used on failed sign in to host attempts": "[\"root\"]",
  "Was SSH session initiated": "No",
  "End Time UTC": "01/12/2020 23:59:58",
  "ActionTaken": "Detected",
  "resourceType": "Virtual Machine"
}

ExtendedProperties is an imperative field that tells you a lot of things. Different alert type would provide different information. In this article, I picked a Failed SSH brute-force attack.

Our target is to parse ExtendProperties json format before adding each parsed field into email. That said, we do need an action between Azure Sentinel trigger and Send email action.

In Parse JSON action, add ExtendedProperties to Content field.  Schema is very important. It tells you how your payload looks like so the Parse JSON action can parse correctly.

{
    "type": "object",
    "properties": {
        "Attackers": {
            "type": "string"
        },
        "Number of failed authentication attempts to host": {
            "type": "string"
        },
        "Accounts used on failed sign in to host attempts": {
            "type": "string"
        },
        "Was SSH session initiated": {
            "type": "string"
        },
        "End Time UTC": {
            "type": "string"
        },
        "ActionTaken": {
            "type": "string"
        },
        "resourceType": {
            "type": "string"
        }
    }
}

Now you can add each field to your email in Send email action.

<p>Hello AzSec,</p>
<p>You have an incident from Azure Sentinel. Below is information:</p>
<ul>
<li><strong>Alert Name:&nbsp;</strong>az</li>
<li><strong>Description</strong>: az</li>
<li><strong>Severity</strong>: az</li>
<li><strong>Resource Group</strong>: az</li>
<li><strong>Start Time</strong>: az</li>
<li><strong>End Time</strong>: az</li>
<li><strong>Attackers</strong>: az</li>
<li><strong>Number of failed authentication attempts to host</strong>: az</li>
<li><strong>Accounts used on failed sign in to host attempts</strong>: az</li>
<li><span style="color: #ff0000;"><strong>Was SSH session initiated</strong></span>: az</li>
</ul>
<p>Please review and let us know whether this incident is false positive.</p>
<p>AzSec Team</p>
<div>&nbsp;</div>

When you add email body, look into parsed field under Parse JSON

Save and Run your new playbook. Go to Azure Sentinel incident page and pick a Failed SSH brute-force attack case then trigger the newly created playbook. Your email should look like the one below:

This article simply shows you how powerful Parse JSON is as well as a use case to use with Azure Sentinel alert. If you want to handle for every alert type you will need more playbooks, or use Switch and Condition.

Stay tuned and subscribe AzSec blog for more tips coming!

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

3 Responses to Parse ExtendedProperty in Azure Sentinel alert for Logic App use

  1. Pingback: Notify Azure Sentinel alert to your email automatically

  2. vip12 says:

    Please tell how the data (eg attackers, number of failed authentication attemts to host, etc.) get into the ExtendedProperties field? Could you introduce the full text of the Failed SSH brute-force attack rule? Tnx!

    • azsec says:

      Hi vip12,

      The data is handled from Microsoft internally which we don’t know. If you write ASC alert to log you will see ExtendedProperties field in log body.

      I don’t understand what you mean by full text of Failed SSH brute-force attack rule. This rule comes from Azure Security Center and Microsoft hasn’t really told us signature of the rule.

Leave a Reply