Forum Discussion
Cannot get 'Entities' via a custom analytic rule.
Hello folks,
I am trying to write an analytic rule to get all the alerts from 'Microsoft 365 Security' center and generate incidents based on those alerts in Sentinel.
All that the rule is lacking is that I get the 'Entities' tab empty when an incident is made.
Can anybody help me out if possible with an KQL command to add/get the entities part?
Would really appreciate the help.
4 Replies
- Have you mapped the Entity in your KQL? See example
https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml
The last line, maps the Host (entity) to the DeviceName column:
| extend HostCustomEntity=DeviceName
The new, Alert enrichment (Preview) allows you to create Entity Mapping from the UI and these work but don't appear in the KQL / rule logic - see https://docs.microsoft.com/en-gb/azure/sentinel/map-data-fields-to-entities#notes-on-the-new-versionCliveWatson Thanks for the reply, but this does not work. It throws the error:
The name 'entityMappings' does not refer to any known column, table, variable or function.
- Sorry that was just an example, you may prefer to use the UI option or you need to replace:
<DeviceName> with a valid column that you have in your system. As you haven't shared any syntax, its hard to guess at what entity you are trying to map. If its an "Account" for example you may need
| extend AccountCustomEntity=< your account name column >
maybe username or AccountCustomEntity = UserPrincipalName
https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/IridiumIOCs.yaml
