Forum Discussion

GC_08's avatar
GC_08
Copper Contributor
Aug 13, 2021
Solved

User contact info is blank when viewing Sentinel incident details via Lighthouse

When viewing a customer's Sentinel incidents via Azure Lighthouse, we are unable to see the contact details of any of their users when investigating the incident (clicking on the user's entity link p...
  • GC_08's avatar
    GC_08
    Aug 15, 2021

    Ok, I've found the solution. User contact details (amongst other things) are stored in the 'IdentityInfo' table which is created when you enable UEBA. Once UEBA is enabled, all AAD user details are synced into the ‘IdentityInfo’ table. This makes them accessible via Lighthouse in the LA workspace and doesn't require AAD reader rights. It's a pity info like office location, mobile phone and manager aren't visible in the incident details via Lighthouse but at least they are accessible in the logs.

    https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037

GC_08's avatar
GC_08
Copper Contributor
Aug 15, 2021

Ok, I've found the solution. User contact details (amongst other things) are stored in the 'IdentityInfo' table which is created when you enable UEBA. Once UEBA is enabled, all AAD user details are synced into the ‘IdentityInfo’ table. This makes them accessible via Lighthouse in the LA workspace and doesn't require AAD reader rights. It's a pity info like office location, mobile phone and manager aren't visible in the incident details via Lighthouse but at least they are accessible in the logs.

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037

  • alancho's avatar
    alancho
    Copper Contributor
    Apr 12, 2022
    We have the same problem, but go to the Identity Table is not enough solution. All the info is there but maybe there are some problems between the UI and the backend info. We dont see any information (apart of S-ID and AAD Object ID ) on the UEBA page using lighthouse or not. We need to see more information on the User page, if not that feature is useless.