Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Microsoft 365 defender alerts not capturing fields (entities) in azure sentinel

New Contributor


          We got an alert from 365 defenders to azure sentinel ( A potentially malicious URL click was detected). To investigate this alert we have to check in the 365 defender portal.

We noticed that entities are not capturing (user, host, IP). How can we resolve this issue? 

Note: This is not a custom rule. 

1 Reply
We have the same issue but I know why:

firstly, are you saying entities are not capturing in MS Sentinel (this is our issue too). If you pivot to to Microsoft 365 defender you will see the entities for the given incident or alert.

I was told by MS support that at this time entities do not capture from MS 365 defender for all incidents. This is an up coming feature which Microsoft are working on to bring entities into Sentinel. For now you have to pivot into MS 365 defender to review the entities. Not ideal for analysts but I guess the MS 365 Defender data connector is still in Preview mode,