Forum Discussion

FaRa_AVM's avatar
FaRa_AVM
Copper Contributor
Jul 30, 2025

Incident Missing Entities

Good morning! I would like to have some clarification on how entities work. Yesterday I found out that if I have 2 entities of the same type (In this particular case, two entities of the type Accoun...
alerts
detection
KQL
AndrewBlumhardt's avatar
AndrewBlumhardt
Icon for Microsoft rankMicrosoft
Aug 04, 2025

I am not sure if these link helps. I recommend using Account with multiple indicators. You might also look at other template rules as an example. The template-based rules are really good at entity mapping, but it can be tricky for custom rules. You are identifying one or more column as an entity indicator. It can be hard to determine if the data in that column is properly formatted. It may be possible to revise the column in the detection KQL to improve entity mapping consistency. If mapping is failing, try running the query to see if the mapped indicator is missing or oddly formatted.

https://learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities

https://learn.microsoft.com/en-us/azure/sentinel/entities

https://learn.microsoft.com/en-us/azure/sentinel/entities-reference 

Resources