Forum Discussion
Best way to unify a user identity
Greetings
I have a firewall that's feeding our Log Analyrics workspace with events. URL blocks, spyware and such. I then have a Sentinel NRT analytics rule that use these events to create alerts which are gathered into incidents later. The firewall is able to gather the user identity of the device generating the event and include the UPN of the user in the form for the email address removed for privacy reasons format.
I've been fiddling with this for a while trying to parse this into something Sentinel will accept as a user AND at the same time tie this user to the identities being sent from our different Microsoft products like Defender 365 and AAD. It feels like nomatter what I do Sentinel will always generate two users, one for the AAD and Defender events and one from the firewall events. The attached image from an incident investigation show the effect of this, the same user is shown twice only tied together by the device and reports from Defender EDP. Of course this is was investigation is, tieing together information but it feels "redundant" to have the same user/identity show up like this.
Does anyone have any tips?
Regards
Fredrik
2 Replies
- NRT is limited and unable to join multiple tables in query,
alternatively you can use Scheduled query join FirewallLOgs_CL and SecurityAlert table to combine both the alerts.- I am aware of the join limitation between NRT and Scheduled alerts, but my question is on how Sentinel parses a user into a singual entity. I am not trying to combine two tables.
