Forum Discussion
Microsoft sentinel Incident entities mapping not showing some alert fields
Hello,
I am working on the rule "Attempt to bypass conditional access rule in Azure AD" that only show Account entity. I modified the rule to add an IP entity named "IPAddresses" that content a set of IPAddresses (this field was built with make_list fonction).
But unfortunately this content does not appear in entities area .
Can you help me please !
you can simulate the case with the rule i mentioned above.
1 Reply
- This is now called: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/BypassCondAccessRule.yaml
You can see that the standard rule if deployed from the YAML will map IP Address without amending it.
