Intermittent missing entity mappings for Microsoft Entra ID Protection incidents

[Kaloszer]

Describe the bug Incidents that are created from Microsoft Entra ID Protection will not always have their entities mapped unless you refresh the incident page a few times, or the other way around. Initially viewing the incident the entities are there, but when you refresh, they are gone.

To Reproduce Steps to reproduce the behavior:

1. Incident raised from 'Microsoft Entra ID Protection'
2. Navigate to incident
3. Look at entities - AR maps the IP/User email

2 cases occur - either a):

• 0 entities mapped
• Refresh 1/2/3 times
• 2 entities mapped (as it should be)

b)

• 2 entities mapped
• refresh 1/2/3 times
• 0 entities mapped (they were there earlier :D)

Expected behavior Entities are always mapped if they're available

Screenshots Eg.:

Before refresh:

After refresh:

Additional context For automations this causes issues because we use the entities to parse information about the user and send additional information. So when information gets sent it's null because there's no entities when they are actually there.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-muuppugund]

Hi @Kaloszer ,Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 01-02-2024. Thanks!

[stripesoc]

This is also an issue for me. I find entity mappings rarely pull through from the alert providers portal. It's super frustrating, especially when there are no options to do any sort of any mapping in the alert source provider or seemingly attempt to fix it ourselves.

We also need these entities mapped for automation.

Maybe a slightly separate issue I have is that sometimes entities are mapped, but key information in the JSON is missing. For example a host may be mapped from DfE but it is missing the field mdatpDeviceId, which is critical in most response actions API calls.

[v-muuppugund]

Hi @stripesoc Wil check on the issue and get back to you

[v-muuppugund]

Hi @Kaloszer ,I am unable to replicate the issue as don't have sufficient privileges at tenant level, Could you please share convenient time slots for a team's meeting to this email ([email protected])

[Kaloszer]

@v-muuppugund - it would be hard to replicate because you need to have that particular type of incident and it be 'fresh', so not sure if that would be possible to replicate that easy. Case in point it's not an isolated issue as @stripesoc also experiences it.

I will try to find some time the following week/2

[v-muuppugund]

@Kaloszer noted ,please keep me updated on this ,so we can connect over teams meeting.

[v-muuppugund]

@Kaloszer / @stripesoc ,Gentle reminder,Could you please share convenient time slots for a teams meeting to email i.e. ([email protected])

[v-muuppugund]

@Kaloszer / @stripesoc ,Gentle reminder,Could you please share convenient time slots for a teams meeting to email i.e. ([email protected])

[Kaloszer]

Sorry, no time.

[Kaloszer]

This is also an issue for me. I find entity mappings rarely pull through from the alert providers portal. It's super frustrating, especially when there are no options to do any sort of any mapping in the alert source provider or seemingly attempt to fix it ourselves.

We also need these entities mapped for automation.

Maybe a slightly separate issue I have is that sometimes entities are mapped, but key information in the JSON is missing. For example a host may be mapped from DfE but it is missing the field mdatpDeviceId, which is critical in most response actions API calls.

I would think that's the same issue here, if the entities are missing in one 'instance' of the blade and your Logic App/Func gets the trigger from that instance you would be missing that data in the JSON as that entity would not be in there. That's pretty much the same case as with missing Ip/UPN then.

[Kaloszer]

@v-muuppugund I do have some time today/tommorow - if you have some time that we can follow up on this issue drop me a meeting invite (8AM-4PM CET) - I think 15-30 minutes would be enough to explain what the issue is.

[v-sudkharat]

Hi @Kaloszer, Thank you for your response. Could you please share your mail id with us on below ID, so we can schedule a call with you to procced further on this. Thanks! [email protected] / [email protected]

[Kaloszer]

Hi @Kaloszer, Thank you for your response. Could you please share your mail id with us on below ID, so we can schedule a call with you to procced further on this. Thanks! [email protected] / [email protected]

I FW'd the github notification to you. You should get my email from there :)

// EDIT - it failed 😮‍💨

----- The following addresses had permanent fatal errors ----- [email protected] (reason: 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) [BL2NAM06FT009.Eop-nam06.prod.protection.outlook.com 2024-02-14T07:33:13.811Z 08DC2B9861575E79])

----- Transcript of session follows ----- ... while talking to microsoft-com.mail.protection.outlook.com.:

DATA <<< 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) [BL2NAM06FT009.Eop-nam06.prod.protection.outlook.com 2024-02-14T07:33:13.811Z 08DC2B9861575E79] 550 5.1.1 [email protected]... User unknown

My email is [email protected]

[v-sudkharat]

@Kaloszer, Received your mail. Thanks!

[v-muuppugund]

@Kaloszer ,Asked for convenient time slots for teams meeting for this issue over an email,Could you please share,Thanks

[v-muuppugund]

@Kaloszer ,As discussed yesterday over team's call, unable to replicate the issue with detailed steps, will reach the team shared by you for further troubleshooting.

[Kaloszer]

@stripesoc - would you be able to share information to @v-muuppugund with the incidents that had this behaviour?

I guess the standard subId/tenant/workspace + incident number. When I get the same I will share similar info.

[v-muuppugund]

Hi @Kaloszer ,As discussed over teams last call,as we are unable to replicate the issue,asked me to reach the other team members,so reached them over email for further details.

[v-muuppugund]

Hi @Kaloszer ,Still waiting from team from team on issue replication steps,send gentle reminder over email

[v-muuppugund]

Hi @Kaloszer ,Still waiting from team from team on issue replication steps,send gentle reminder over email

[v-muuppugund]

Hi @Kaloszer ,Still waiting from team from team on issue replication steps,send gentle reminder over email

[v-muuppugund]

Hi @Kaloszer ,Still waiting from team from team on issue replication steps,send gentle reminder over email

[Kaloszer]

Hey @v-muuppugund - I've talked to my colleagues and they haven't seen it occur in quite a while now, so I think we should feel safe to close this for now. If it happens I'll reopen this one with the aforementioned information.