Forum Discussion
Cannot get 'Entities' via a custom analytic rule.
Hello folks, I am trying to write an analytic rule to get all the alerts from 'Microsoft 365 Security' center and generate incidents based on those alerts in Sentinel. All that the rule is lacki...
Have you mapped the Entity in your KQL? See example
https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml
The last line, maps the Host (entity) to the DeviceName column:
| extend HostCustomEntity=DeviceName
The new, Alert enrichment (Preview) allows you to create Entity Mapping from the UI and these work but don't appear in the KQL / rule logic - see https://docs.microsoft.com/en-gb/azure/sentinel/map-data-fields-to-entities#notes-on-the-new-version
https://github.com/Azure/Azure-Sentinel/blob/06832a873e1686244f0bc02b10f79ba879078864/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml
The last line, maps the Host (entity) to the DeviceName column:
| extend HostCustomEntity=DeviceName
The new, Alert enrichment (Preview) allows you to create Entity Mapping from the UI and these work but don't appear in the KQL / rule logic - see https://docs.microsoft.com/en-gb/azure/sentinel/map-data-fields-to-entities#notes-on-the-new-version
CliveWatson Thanks for the reply, but this does not work. It throws the error:
The name 'entityMappings' does not refer to any known column, table, variable or function.