Azure-Sentinel
Azure-Sentinel copied to clipboard
Azure
Intermittent Entity mapping from Defender Incidents
Describe the bug Incidents created in Microsoft Defender will not always have their entities mapped in Sentinel. Entities don't appear on the incident analysis screen or via KQL query.
To Reproduce Steps to reproduce the behavior:
- Click on the Incidents menu and select an incident originating from Defender
- When previewing the incident or clicking View Full Details, entities aren't displayed
Expected behavior The entities (user, ip, host, etc.) will be displayed in all incidents.
Screenshots Prints of incidents without entities and executing the query by clicking on the System Alert ID link
Additional context As shown in the prints, some incidents originating from Defender are sent via data connector without the entities. Even running a query searching for the title or system alert id, the information is not found.
Hi @ish-rafaeldamiani, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 01 May 2024. Thanks!
Hi @ish-rafaeldamiani,
-
Please help us to understand from which source you are getting incident - Sentinel or Defender portal
-
If from sentinel then which Analytical Rule you are using here and also confirm that in Entity mapping section have you added any entity, please refer below screen shot.
-
If from defender endpoint please check entities are already available in defender portal itself.
Thanks
Hi, @v-rusraut
If you look at the first print it has Alert products names: Microsoft Defender for Cloud. This behavior occurs with incidents originating from Defender (for cloud, endpoint, office365).
There is no occurrence with incidents originating from Analytics Rules.
Entities can be located in the Defender portal. But the problem in this case is that some SOC analysts are not allowed access to the Defender portal.
What do I need to know if this behavior of entities is not sent from the Defender portal to Sentinel. Is it normal or possible bug?
Hi @ish-rafaeldamiani, We are working with respective team, we will update you. Thanks
Hi @ish-rafaeldamiani, We are waiting for response from respective team, we will update you. Thanks
Hi @ish-rafaeldamiani, Still waiting for response from respective team, we will update you. Thanks
Hi @ish-rafaeldamiani, We are waiting for response from respective team, if we receive any update, we will update you.
Hi @ish-rafaeldamiani,
We have received response from receptive team, please use the new Tenant-based Microsoft Defender for Cloud connector, which is in currently PREVIEW state, which allows you to collect Defender for Cloud alerts over your entire tenant, without having to enable each subscription separately. (The connector is highlighted into below screenshot.)
After using above mentioned connector if you still face any issue, kindly raise support ticket in azure portal, so our concern team will check on this and connect with you if required.
Please let us know once if you raise support ticket case so we can close this issue from GitHub.
Thanks
Hi @ish-rafaeldamiani, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 05-07-2024 date, we will be closing this issue. Thanks!
Hi @ish-rafaeldamiani, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.