I have a custom alert that matches a pattern in an unparsed data source of Office 365 logs.
I setup a custom alert so I’m getting an investigation created automatically.
In that alert is evidence that includes the fields and values that I want to use in an Insight Connect workflow.
How do I get that data into a workflow trigger?
Example log line in Log Search
{
"source_json": {
"CreationTime": "2021-04-10T00:43:10",
"Id": "00000000-0000-0000-0000-0000000000",
"Operation": "TIMailData",
"OrganizationId": "00000000-0000-0000-0000-0000000000",
"RecordType": 28,
"UserKey": "ThreatIntel",
"UserType": 4,
"Version": 1,
"Workload": "ThreatIntelligence",
"ObjectId": "00000000-0000-0000-0000-0000000000",
"UserId": "ThreatIntel",
"DetectionMethod": "URL detonation reputation",
"DetectionType": "Inline",
"EventDeepLink": "https://protection.office.com/.......view=Phish",
"InternetMessageId": "<123123123@phishingdomain.fictional>",
"MessageTime": "2021-04-10T00:01:00",
"NetworkMessageId": "00000000-0000-0000-0000-0000000000",
"P1Sender": "phisher@phisher.fictional",
"P2Sender": "phisher@phisher.fictional",
"Recipients": [
"victim@mydomain.com"
],
"SenderIp": "1.2.3.4",
"Subject": "Phishing Subject",
"Verdict": "Phish"
},
"custom_data": {}
}
Aaron, you’d create an InsightConnect workflow with an IDR Custom Alert Trigger, then you’d tie the alert in IDR to the ICON workflow using the “Alert Notification” option in the custom alert configuration within IDR. Flip it to Notifications and you should have an InsightConnect Workflow over at the right.
This configuration will trigger the workflow every time the custom alert fires and the workflow will receive a bunch of data from IDR including the source_json.
1 Like
OK, I think I’m a lot closer now. Thanks!
I connected a workflow triggered by custom alert and now I think that makes a lot more sense.
How do I get the new workflow to show in my “Take Action” menu?
I don’t see the new workflow in my list. Or is that not an option? Do I just need to wait for a new alert to come in?
Aaron, I believe the “Take Action” menu only lists “UBA” workflows, not customer alert workflows. The output a custom alert delivers to ICON doesn’t match what the UBA alerts send over. The “Take Action” button sends the investigation information over in the UBA format while the Custom Alert trigger expects a log entry that triggered the alert.
Elijah, Thanks for the reply and clarification.
Something close to what I was looking for was the “Rerun This Job” option in the ICON job.
After a little trial and error, I now understand how to look at the Outputs and figure out how to grab a specific field value.
For example, to get the Office 365 email sender, I used this:
{{[“O365 Alert Trigger”].[event].[entryObject].[source_json].[P1Sender]}}
Thanks for nudging me in the right direction.