Forum Discussion
Custom Entities
This is Ely from the product group.
Supporting more entities as part of scheduled alerts is indeed required and planned. We are working on a solution to support a more flexible way to map entities that will support more entity types and more fields for each entity.
The requirement for supporting arrays is a bit different and will require some thought.
A short-term solution can be to use the mv-expand operator to create a line for each IP address and then map them using the regular way. You can then use the Alert Grouping feature (now available in public preview) to make sure you group the alerts as to not generate too many incidents.
Thijs Lecomte, regarding the "Failed login attempts to Azure Portal" rule, that rule has been updated to correct the entity problem. You can copy the updated query from the Azure Sentinel Github repo: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml
Hope that helps a bit until we get more entity types!
But this just tostrings the IP address. So we cannot use this to correlate to other alerts etc.