cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Custom Entities

Thijs Lecomte
Bronze Contributor

‎Apr 09 2020 02:18 AM - last edited on ‎Nov 09 2023 11:09 AM by

‎Apr 09 2020 02:18 AM - last edited on ‎Nov 09 2023 11:09 AM by

Custom Entities

Hi all

 

When you create a rule and configure your Entities, there used to be a line that says 

"More custom entities coming soon", this seems to have been removed.

 

Can the PG share any announcements on this?

We would really need Arrays to be a supported Entity Type.

In rules like "Failed login attempts to Azure Portal", there is an array of IP-addresses per event.

As we cannot map an array to the IP entity, I adapted the query to map the first address to the IP entity field.

 

This solution isn't pretty, but it's the only workaround possible.

4,922 Views
1 Like
7 Replies
Reply
7 Replies
Sarah_Young

‎Apr 14 2020 04:18 PM

‎Apr 14 2020 04:18 PM

Re: Custom Entities

@Thijs Lecomte Thanks for your feedback, unfortunately we don't have anything to share publicly about this right now.

 

Thanks!

Sarah

0 Likes
Reply
wadstromdev

‎Apr 15 2020 07:32 AM

‎Apr 15 2020 07:32 AM

Re: Custom Entities

@Thijs Lecomte, regarding the "Failed login attempts to Azure Portal" rule, that rule has been updated to correct the entity problem. You can copy the updated query from the Azure Sentinel Github repo: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.y...

 

Hope that helps a bit until we get more entity types!

1 Like
Reply
Thijs Lecomte

‎Apr 15 2020 07:50 AM

‎Apr 15 2020 07:50 AM

Re: Custom Entities

This helps thank you!

But this just tostrings the IP address. So we cannot use this to correlate to other alerts etc.
0 Likes
Reply
best response confirmed by Thijs Lecomte (Bronze Contributor)
Ely_Abramovitch

‎Apr 16 2020 05:09 AM

‎Apr 16 2020 05:09 AM

Solution

Re: Custom Entities

Hi,@Thijs Lecomte 

 

This is Ely from the product group.

Supporting more entities as part of scheduled alerts is indeed required and planned. We are working on a solution to support a more flexible way to map entities that will support more entity types and more fields for each entity.

 

The requirement for supporting arrays is a bit different and will require some thought.

A short-term solution can be to use the mv-expand operator to create a line for each IP address and then map them using the regular way. You can then use the Alert Grouping feature (now available in public preview) to make sure you group the alerts as to not generate too many incidents.

0 Likes
Reply
akefallonitis

‎May 01 2020 01:18 AM

‎May 01 2020 01:18 AM

Re: Custom Entities

@Ely_Abramovitch 

 

When more custom entities is planned ? Any timeline ?

 

Also field aggregation in correlation should be considered in scenarios when we need to pass field as a parameter to the correlated rule especially in a MSSP enviroment or even multiple layers of correlation rules needed.

 

E.g Alertname , CustomerName should be able to be aggregated to be able to check which alert got hit in which Customer. Is that something that will be considered also ?

 

Did not find any request so i added my own in the uservoice: https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/40271452-azure-sentinel-rules-fi...

 

Thanks

1 Like
Reply
akshay250692

‎Jul 26 2023 09:43 AM

‎Jul 26 2023 09:43 AM

Re: Custom Entities

any KQL for Failed login attempts to Azure Portal
0 Likes
Reply
AMateos91

‎Aug 24 2023 04:27 AM

‎Aug 24 2023 04:27 AM

Re: Custom Entities

@akefallonitis I think you should be able these days to aggregate those user mames in order to check out the alert functionality.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Thijs Lecomte (Bronze Contributor)
Ely_Abramovitch

‎Apr 16 2020 05:09 AM

‎Apr 16 2020 05:09 AM

Solution

Re: Custom Entities

Hi,@Thijs Lecomte 

 

This is Ely from the product group.

Supporting more entities as part of scheduled alerts is indeed required and planned. We are working on a solution to support a more flexible way to map entities that will support more entity types and more fields for each entity.

 

The requirement for supporting arrays is a bit different and will require some thought.

A short-term solution can be to use the mv-expand operator to create a line for each IP address and then map them using the regular way. You can then use the Alert Grouping feature (now available in public preview) to make sure you group the alerts as to not generate too many incidents.

View solution in original post

0 Likes
Reply