Forum Discussion
Solved
User contact info is blank when viewing Sentinel incident details via Lighthouse
When viewing a customer's Sentinel incidents via Azure Lighthouse, we are unable to see the contact details of any of their users when investigating the incident (clicking on the user's entity link p...
Ok, I've found the solution. User contact details (amongst other things) are stored in the 'IdentityInfo' table which is created when you enable UEBA. Once UEBA is enabled, all AAD user details are synced into the ‘IdentityInfo’ table. This makes them accessible via Lighthouse in the LA workspace and doesn't require AAD reader rights. It's a pity info like office location, mobile phone and manager aren't visible in the incident details via Lighthouse but at least they are accessible in the logs.
I open the debate, I have checked it without using the Azure Lighthouse, i.e. from an environment with sufficient privileges, and this information still does not appear. Has this happened to anyone else?
Is it true that the information is reported in the "Identity Info" table but this not appear in the UEBA Panel.
Is it true that the information is reported in the "Identity Info" table but this not appear in the UEBA Panel.