Microsoft sentinel Incident entities mapping not showing some alert fields

Copper Contributor



I am working on the rule "Attempt to bypass conditional access rule in Azure AD" that only show Account entity. I modified the rule to add an IP entity named "IPAddresses" that content a set of IPAddresses (this field  was built with make_list fonction).


But unfortunately this content does not appear in entities area .


Can you help me please !

you can simulate the case with the rule i mentioned above.



1 Reply
This is now called:

You can see that the standard rule if deployed from the YAML will map IP Address without amending it.