Forum Discussion

FaRa_AVM's avatar
FaRa_AVM
Copper Contributor
Jul 30, 2025

Incident Missing Entities

Good morning!
I would like to have some clarification on how entities work. Yesterday I found out that if I have 2 entities of the same type (In this particular case, two entities of the type Account), with the same identifier (originally, both share the identifier 'Name'), Sentinel appears to throw away one of them, or both in some instances, and when the alert generates an incident, the entities defined won't appear. 

I have switched out the identifier on both account types to something different, but until an incident gets triggered, I can't confirm if this will fix the original issue. 

 

So my questions are

  • An analytic rule can or can't have two entities of the same type defined? 
  •  If yes, that means that they need to have different identifiers. Is this a correct asumption?
    • Some identifiers expect a certain type of value to be assigned, that means that eventually, I can ran out of identifiers for my entities or face the added complexity of dealing with types when returning values from my KQL query
    • What could happen if I map an identifier to something that matches the type but not what that identifier represents? in this case, for Account, we have the identifier ObjectGuid. If I assign a value type string to it, that is not a guid, wouldn't that mess up something else in the background? Example, incident grouping

If I move instead to use Sentinel Entities, which appear to be the 'general' option, I could only use one, since I only have 'entity' as available identifier, looping back to the problem of can have only one type of identifier for identity type. 

Thanks in advance

alerts
detection
KQL

2 Replies

  • Ankit's avatar
    Ankit
    Brass Contributor
    Aug 07, 2025

    Hi FaRa_AVM​

    1. Can an analytic rule have two entities of the same type?
      Yes — but Sentinel’s entity mapping system will not keep both if they share the same type and the same identifier. Internally, it uses the identifier field as a “primary key” for deduplication when an alert is promoted to an incident. If you map both to the same identifier (e.g., Name for Account), one will get dropped — sometimes both if the backend can’t resolve which to keep.
    2. Do they need different identifiers?
      Correct. If you want to keep two entities of the same type in the incident entity list, they must be mapped to different identifiers (e.g., one Name, one UPNSuffix, or ObjectGuid). This forces Sentinel to treat them as distinct.
    3. Can you “run out” of identifiers?
      In theory, yes. Each entity type has a fixed set of identifiers that Sentinel recognizes (per Microsoft’s schema). If you try to cram more logical entities of the same type into one alert than there are unique identifiers, you’ll have to reuse or accept that some will be dropped. It also means you sometimes need extra logic in your KQL to differentiate which value maps to which identifier.
    4. What if I map an identifier to the wrong kind of value?
      Sentinel’s incident backend doesn’t hard-validate the content type for most identifiers — you can assign a non-GUID string to ObjectGuid without an immediate failure. However, this can break downstream enrichment, correlation, or incident grouping logic that expects a valid GUID. For example, incident grouping rules looking for ObjectGuid equality will fail or mis-group if it’s junk data.
    5. Using the generic Entity type instead
      The generic Entity type is a fallback, but it has the same limitation — only one mapping per identifier (entity). If you need more than one logical entity in the same incident, it won’t solve the core limitation. You’re better off mapping to the real entity types with unique identifiers wherever possible.

     

    Thanks 

     

  • AndrewBlumhardt's avatar
    AndrewBlumhardt
    Icon for Microsoft rankMicrosoft
    Aug 04, 2025

    I am not sure if these link helps. I recommend using Account with multiple indicators. You might also look at other template rules as an example. The template-based rules are really good at entity mapping, but it can be tricky for custom rules. You are identifying one or more column as an entity indicator. It can be hard to determine if the data in that column is properly formatted. It may be possible to revise the column in the detection KQL to improve entity mapping consistency. If mapping is failing, try running the query to see if the mapped indicator is missing or oddly formatted.

    https://learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities

    https://learn.microsoft.com/en-us/azure/sentinel/entities

    https://learn.microsoft.com/en-us/azure/sentinel/entities-reference 

Resources