User contact info is blank when viewing Sentinel incident details via Lighthouse

New Contributor

When viewing a customer's Sentinel incidents via Azure Lighthouse, we are unable to see the contact details of any of their users when investigating the incident (clicking on the user's entity link presents blank contact details). When viewing the same incidents whilst logged on directly to the customer's tenant, the contact info is visible.

I assume this is because Lighthouse can only delegate permissions up to the subscription level, and our SOC analysts don't have Directory Reader permissions on the customer's AAD. However, this is a big issue for our SOC because without the contact info, initial triage and incident assessment can't easily be carried out.

Can anyone advise if this is a limitation of the scope of Lighthouse's permissions, or is there a way to view these contact details that I'm missing?





1 Reply
best response confirmed by Gavin_Chi (New Contributor)

Ok, I've found the solution. User contact details (amongst other things) are stored in the 'IdentityInfo' table which is created when you enable UEBA. Once UEBA is enabled, all AAD user details are synced into the ‘IdentityInfo’ table. This makes them accessible via Lighthouse in the LA workspace and doesn't require AAD reader rights. It's a pity info like office location, mobile phone and manager aren't visible in the incident details via Lighthouse but at least they are accessible in the logs.