Inconsistent entity information

Question

I'm trying to use a playbook trigged by an analytics rule to automate sending an approval email for things like a new device being registered to a user or MFA settings being changed. When the playbook is triggered I seem to get inconsistent entity information from the incident, for example sometimes "accountname" only shows first.last and sometimes accountname is the full UPN which is what I want and what's specified in the analytics rule. Because of this the playbook fails later when I try to use the accountname for other things. How can I get this to be consistent?

clive_watson · Answer

You dont mention which rule / data table. But I know we sometimes have had to fix certain Rules to validate the entity information to make it more consistent, for automations to work properly.

clive_watson · Answer

https://learn.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policiesThere is some guidance and Rules for this

sbradbury · Answer

It seems more like a timing issue of some sort, I have seen different entity information from the exact same account and same rule.

clive_watson · Answer

In that case maybe the rule can be improved, is it a rule that is using a legacy schema item, so you need to choose the newer column, or can you enhance the entity when you see a malformed UPN?

Forum Discussion

Inconsistent entity information

4 Replies

Resources