cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

User contact info is blank when viewing Sentinel incident details via Lighthouse

GC_08
Copper Contributor

‎Aug 13 2021 08:59 AM

‎Aug 13 2021 08:59 AM

User contact info is blank when viewing Sentinel incident details via Lighthouse

When viewing a customer's Sentinel incidents via Azure Lighthouse, we are unable to see the contact details of any of their users when investigating the incident (clicking on the user's entity link presents blank contact details). When viewing the same incidents whilst logged on directly to the customer's tenant, the contact info is visible.

I assume this is because Lighthouse can only delegate permissions up to the subscription level, and our SOC analysts don't have Directory Reader permissions on the customer's AAD. However, this is a big issue for our SOC because without the contact info, initial triage and incident assessment can't easily be carried out.

Can anyone advise if this is a limitation of the scope of Lighthouse's permissions, or is there a way to view these contact details that I'm missing?

 

Thanks

GC

 

1,795 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by GC_08 (Copper Contributor)
GC_08

‎Aug 15 2021 01:55 PM - edited ‎Aug 15 2021 01:59 PM

‎Aug 15 2021 01:55 PM - edited ‎Aug 15 2021 01:59 PM

Solution

Re: User contact info is blank when viewing Sentinel incident details via Lighthouse

Ok, I've found the solution. User contact details (amongst other things) are stored in the 'IdentityInfo' table which is created when you enable UEBA. Once UEBA is enabled, all AAD user details are synced into the ‘IdentityInfo’ table. This makes them accessible via Lighthouse in the LA workspace and doesn't require AAD reader rights. It's a pity info like office location, mobile phone and manager aren't visible in the incident details via Lighthouse but at least they are accessible in the logs.

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-identityinfo-table-is-now-in-public...

1 Like
Reply
alancho

‎Apr 12 2022 08:25 AM

‎Apr 12 2022 08:25 AM

Re: User contact info is blank when viewing Sentinel incident details via Lighthouse

We have the same problem, but go to the Identity Table is not enough solution. All the info is there but maybe there are some problems between the UI and the backend info. We dont see any information (apart of S-ID and AAD Object ID ) on the UEBA page using lighthouse or not. We need to see more information on the User page, if not that feature is useless.
1 Like
Reply
Chris_321

‎Apr 12 2022 08:26 AM

‎Apr 12 2022 08:26 AM

Re: User contact info is blank when viewing Sentinel incident details via Lighthouse

I open the debate, I have checked it without using the Azure Lighthouse, i.e. from an environment with sufficient privileges, and this information still does not appear. Has this happened to anyone else?
Is it true that the information is reported in the "Identity Info" table but this not appear in the UEBA Panel.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by GC_08 (Copper Contributor)
GC_08

‎Aug 15 2021 01:55 PM - edited ‎Aug 15 2021 01:59 PM

‎Aug 15 2021 01:55 PM - edited ‎Aug 15 2021 01:59 PM

Solution

Re: User contact info is blank when viewing Sentinel incident details via Lighthouse

Ok, I've found the solution. User contact details (amongst other things) are stored in the 'IdentityInfo' table which is created when you enable UEBA. Once UEBA is enabled, all AAD user details are synced into the ‘IdentityInfo’ table. This makes them accessible via Lighthouse in the LA workspace and doesn't require AAD reader rights. It's a pity info like office location, mobile phone and manager aren't visible in the incident details via Lighthouse but at least they are accessible in the logs.

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-identityinfo-table-is-now-in-public...

View solution in original post

1 Like
Reply