Incident Missing Entities

Hi FaRa_AVM​

1. Can an analytic rule have two entities of the same type?
   Yes — but Sentinel’s entity mapping system will not keep both if they share the same type and the same identifier. Internally, it uses the identifier field as a “primary key” for deduplication when an alert is promoted to an incident. If you map both to the same identifier (e.g., Name for Account), one will get dropped — sometimes both if the backend can’t resolve which to keep.
2. Do they need different identifiers?
   Correct. If you want to keep two entities of the same type in the incident entity list, they must be mapped to different identifiers (e.g., one Name, one UPNSuffix, or ObjectGuid). This forces Sentinel to treat them as distinct.
3. Can you “run out” of identifiers?
   In theory, yes. Each entity type has a fixed set of identifiers that Sentinel recognizes (per Microsoft’s schema). If you try to cram more logical entities of the same type into one alert than there are unique identifiers, you’ll have to reuse or accept that some will be dropped. It also means you sometimes need extra logic in your KQL to differentiate which value maps to which identifier.
4. What if I map an identifier to the wrong kind of value?
   Sentinel’s incident backend doesn’t hard-validate the content type for most identifiers — you can assign a non-GUID string to ObjectGuid without an immediate failure. However, this can break downstream enrichment, correlation, or incident grouping logic that expects a valid GUID. For example, incident grouping rules looking for ObjectGuid equality will fail or mis-group if it’s junk data.
5. Using the generic Entity type instead
   The generic Entity type is a fallback, but it has the same limitation — only one mapping per identifier (entity). If you need more than one logical entity in the same incident, it won’t solve the core limitation. You’re better off mapping to the real entity types with unique identifiers wherever possible.

Thanks