User missing from incident owners

Brass Contributor

Greetings

I cannot understand an issue I'm facing. In our small team of SOC-analysts I, as a manager, is unable to add incidents to one of the analysts. His account isn't listed as a possible owner and isn't found when searching for it. He can take ownership of incidents himself but cannot be assigned by someone else.

Where exactly does Sentinel get the possible owners from? Both analysts have native EntraID accounts and the same roles in Sentinel and the LA workspace.

 

Peace

Fredrik

2 Replies
Hi Fredrik,

Azure Portal obtains this information from Microsoft Graph.

https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http

I recommend logging on to Microsoft Graph Explorer to see if the user shows up there. Make sure to override the maximum number of results using the $top parameter.

My hunch is that the user might have non-ascii characters in their name, and that the search option does not account for that. A review of the output should confirm that.

Rutger
Here’s a link to Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer

Please make sure to log on (top right) and authorize the app.