Forum Discussion

JILIN_RAJU's avatar
JILIN_RAJU
Copper Contributor
May 13, 2022

Microsoft 365 defender alerts not capturing fields (entities) in azure sentinel

 

          We got an alert from 365 defenders to azure sentinel ( A potentially malicious URL click was detected). To investigate this alert we have to check in the 365 defender portal.

We noticed that entities are not capturing (user, host, IP). How can we resolve this issue? 

Note: This is not a custom rule. 

  • BcyberS's avatar
    BcyberS
    Brass Contributor
    We have the same issue but I know why:

    firstly, are you saying entities are not capturing in MS Sentinel (this is our issue too). If you pivot to to Microsoft 365 defender you will see the entities for the given incident or alert.

    I was told by MS support that at this time entities do not capture from MS 365 defender for all incidents. This is an up coming feature which Microsoft are working on to bring entities into Sentinel. For now you have to pivot into MS 365 defender to review the entities. Not ideal for analysts but I guess the MS 365 Defender data connector is still in Preview mode,
  • rp377's avatar
    rp377
    Copper Contributor
    is this issue resolved ??

    It is 2023 and I am also finding it difficult to receive entities details from Microsoft 365 Defender alerts in Sentinel for all the received alerts.

Resources