Aug 16 2023 04:42 AM
Hi all
There is something that has been annoying me for a while and I felt it's finally time to post abount it.
We have a hybrid AD-AAD setup with a user sync up and running since years back, that particular feature is not my area but from what I've heard the sync is working fine.
My trouble is that Sentinel seems to not be able to reslove the AAD Object ID of some users. For example if I use the Entity Behaviour feature to look up one user it's entity page show "-" as the Azure AD Object ID. Alerts and incidents are shown for the user so Sentinel seems to be able to tie the user to incidents at least. If I select another user I might get the full AAD Object ID. This is driving my crazy because I have a few playbooks where I need the AAD-ID and they don't work as it is now.
Could anyone shed some light on what process lies behind the correlation between a user and the AAD ID?
Regards
Fredrik
Sep 15 2023 07:08 PM - edited Sep 15 2023 07:09 PM
@TheHoff70 the analytics that are mapped to the playbook, have they been mapped with the appropriate entities for azure object IDs?
This will surface the specific information for the playbooks to fire properly against the alert when it is triggered?
Check out this link to further information
Map data fields to Microsoft Sentinel entities | Microsoft Learn
Sep 17 2023 03:57 PM
Sep 17 2023 10:44 PM
Sep 17 2023 10:45 PM