Forum Discussion
Solved
Custom Entity Mapping
I written below KQL with help from community but not able to create custom entity in Set Rule Logic. I need to mapping FailedAttempt field but no option in entity field.
let threshold=2;
let authenticationWindow = 5m;
let Logs = SigninLogs
//| where UserPrincipalName == "email address removed for privacy reasons"
| where UserPrincipalName == "email address removed for privacy reasons"
| where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password");
Logs
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
by
bin(TimeGenerated, authenticationWindow),
UserPrincipalName,
ResultDescription,
AppDisplayName,
IPAddress,
Location
| join kind=inner (
Logs
| summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName, IPAddress, Location
| where FailedAttempt >= ["threshold"]
)
on UserPrincipalName, AppDisplayName, ResultDescription, IPAddress, Location
| project-away UserPrincipalName1, AppDisplayName1, ResultDescription1, IPAddress1, Location1
only these field are coming so how can i map faild attempt
- If you need to have the entity usable in an Automation rule, just select one of the existing entities and assign your field to it, just make sure to select one that the Automation rule could use.
- GBushey
Microsoft
akshay250692 Add a custom entity under "Custom Details" and use the field in question.
- We have set automation playbook for above alert so custom field is not caturing in automation.
- GBusheyIf you need to have the entity usable in an Automation rule, just select one of the existing entities and assign your field to it, just make sure to select one that the Automation rule could use.
