Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermittent Entity mapping from Defender Incidents #10372

Open
ish-rafaeldamiani opened this issue Apr 23, 2024 · 6 comments
Open

Intermittent Entity mapping from Defender Incidents #10372

ish-rafaeldamiani opened this issue Apr 23, 2024 · 6 comments
Assignees
@v-rusraut @v-sudkharat
Labels
Connector Connector specialty review needed

Comments

@ish-rafaeldamiani
Copy link

Describe the bug
Incidents created in Microsoft Defender will not always have their entities mapped in Sentinel. Entities don't appear on the incident analysis screen or via KQL query.

To Reproduce
Steps to reproduce the behavior:

  1. Click on the Incidents menu and select an incident originating from Defender
  2. When previewing the incident or clicking View Full Details, entities aren't displayed

Expected behavior
The entities (user, ip, host, etc.) will be displayed in all incidents.

Screenshots
Prints of incidents without entities and executing the query by clicking on the System Alert ID link

Suspected brute-force attack attempt involving one user
query security alert

Email messages containing malicious file removed after delivery involving one user
query security alert 2

Additional context
As shown in the prints, some incidents originating from Defender are sent via data connector without the entities. Even running a query searching for the title or system alert id, the information is not found.
@v-sudkharat v-sudkharat added the Connector Connector specialty review needed label Apr 24, 2024
@v-rusraut
Copy link
Contributor

Hi @ish-rafaeldamiani,
Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 01 May 2024. Thanks!

@v-rusraut
Copy link
Contributor

Hi @ish-rafaeldamiani,

  • Please help us to understand from which source you are getting incident - Sentinel or Defender portal
  • If from sentinel then which Analytical Rule you are using here and also confirm that in Entity mapping section have you added any entity, please refer below screen shot.
image
  • If from defender endpoint please check entities are already available in defender portal itself.

Thanks

@ish-rafaeldamiani
Copy link
Author

Hi, @v-rusraut

If you look at the first print it has Alert products names: Microsoft Defender for Cloud. This behavior occurs with incidents originating from Defender (for cloud, endpoint, office365).

There is no occurrence with incidents originating from Analytics Rules.

Entities can be located in the Defender portal. But the problem in this case is that some SOC analysts are not allowed access to the Defender portal.

What do I need to know if this behavior of entities is not sent from the Defender portal to Sentinel. Is it normal or possible bug?

@v-rusraut
Copy link
Contributor

Hi @ish-rafaeldamiani,
We are working with respective team, we will update you.
Thanks

@v-rusraut
Copy link
Contributor

Hi @ish-rafaeldamiani,
We are waiting for response from respective team, we will update you.
Thanks

@v-rusraut
Copy link
Contributor

Hi @ish-rafaeldamiani,
Still waiting for response from respective team, we will update you.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-rusraut v-rusraut

@v-sudkharat v-sudkharat

Labels
Connector Connector specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@v-rusraut @v-sudkharat @ish-rafaeldamiani