-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intermittent Entity mapping from Defender Incidents #10372
Comments
Hi @ish-rafaeldamiani, |
Hi, @v-rusraut If you look at the first print it has Alert products names: Microsoft Defender for Cloud. This behavior occurs with incidents originating from Defender (for cloud, endpoint, office365). There is no occurrence with incidents originating from Analytics Rules. Entities can be located in the Defender portal. But the problem in this case is that some SOC analysts are not allowed access to the Defender portal. What do I need to know if this behavior of entities is not sent from the Defender portal to Sentinel. Is it normal or possible bug? |
Hi @ish-rafaeldamiani, |
Hi @ish-rafaeldamiani, |
Hi @ish-rafaeldamiani, |
Describe the bug
Incidents created in Microsoft Defender will not always have their entities mapped in Sentinel. Entities don't appear on the incident analysis screen or via KQL query.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The entities (user, ip, host, etc.) will be displayed in all incidents.
Screenshots
Prints of incidents without entities and executing the query by clicking on the System Alert ID link
Additional context
As shown in the prints, some incidents originating from Defender are sent via data connector without the entities. Even running a query searching for the title or system alert id, the information is not found.
The text was updated successfully, but these errors were encountered: