Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Custom Entity Mapping

Brass Contributor

I written below KQL  with help from community but not able to create custom entity in Set Rule Logic. I need to mapping FailedAttempt field but no option in entity field.


let threshold=2;
let authenticationWindow = 5m;
let Logs = SigninLogs
    //| where UserPrincipalName == "email address removed for privacy reasons"
    | where UserPrincipalName == "email address removed for privacy reasons"
    | where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password");
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
    bin(TimeGenerated, authenticationWindow),
| join kind=inner (
    | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName, IPAddress, Location
    | where FailedAttempt >= ["threshold"]
    on UserPrincipalName, AppDisplayName, ResultDescription, IPAddress, Location
| project-away UserPrincipalName1, AppDisplayName1, ResultDescription1, IPAddress1, Location1

only these field are coming so how can i map faild attempt 

9 Replies

@akshay250692 Add a custom entity under "Custom Details" and use the field in question.

We have set automation playbook for above alert so custom field is not caturing in automation.
best response confirmed by akshay250692 (Brass Contributor)
If you need to have the entity usable in an Automation rule, just select one of the existing entities and assign your field to it, just make sure to select one that the Automation rule could use.
This is the issue. If you see in screenshot if i select process then no filed is related to failed login attempt.
The Automation rule has a condition called "Custom details key". You can create a custom entity that will contain your field and then, in the Automation rule, select "Custom details key" that equals your custom entity name. Then another field called "Custom details value" gets created and you can use that to compare your value.
no option for "when alert is triggered".
Not much can be done about that as the alert trigger has minimal functionality. I would suggest using the incident trigger if at all possible.
we are creating playbook for reduce incident.
I would say you would be better off modifying the KQL of your rule to reduce the number of events being found rather than trying to use Automation rules. Once an alert has been generated, the incident will be created as well, unless the rule has been set to not create incidents automatically.