v-rusraut
commented
3 months ago Hi @ish-rafaeldamiani, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 01 May 2024. Thanks!
Closed ish-rafaeldamiani closed 3 weeks ago
v-rusraut
commented
3 months ago Hi @ish-rafaeldamiani, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 01 May 2024. Thanks!
v-rusraut
commented
3 months ago Hi @ish-rafaeldamiani,
Please help us to understand from which source you are getting incident - Sentinel or Defender portal
If from sentinel then which Analytical Rule you are using here and also confirm that in Entity mapping section have you added any entity, please refer below screen shot.
If from defender endpoint please check entities are already available in defender portal itself.
Thanks
ish-rafaeldamiani
commented
3 months ago Hi, @v-rusraut
If you look at the first print it has Alert products names: Microsoft Defender for Cloud. This behavior occurs with incidents originating from Defender (for cloud, endpoint, office365).
There is no occurrence with incidents originating from Analytics Rules.
Entities can be located in the Defender portal. But the problem in this case is that some SOC analysts are not allowed access to the Defender portal.
What do I need to know if this behavior of entities is not sent from the Defender portal to Sentinel. Is it normal or possible bug?
v-rusraut
commented
2 months ago Hi @ish-rafaeldamiani, We are working with respective team, we will update you. Thanks
v-rusraut
commented
2 months ago Hi @ish-rafaeldamiani, We are waiting for response from respective team, we will update you. Thanks
v-rusraut
commented
2 months ago Hi @ish-rafaeldamiani, Still waiting for response from respective team, we will update you. Thanks
ish-rafaeldamiani
commented
1 month ago Hi, @v-rusraut
I still awaiting feedback about this issue.
v-rusraut
commented
1 month ago Hi @ish-rafaeldamiani, We are waiting for response from respective team, if we receive any update, we will update you.
v-rusraut
commented
1 month ago Hi @ish-rafaeldamiani, We have received response from receptive team, please use the new Tenant-based Microsoft Defender for Cloud connector, which is in currently PREVIEW state, which allows you to collect Defender for Cloud alerts over your entire tenant, without having to enable each subscription separately. (The connector is highlighted into below screenshot.)
After using above mentioned connector if you still face any issue, kindly raise support ticket in azure portal, so our concern team will check on this and connect with you if required.
Please let us know once if you raise support ticket case so we can close this issue from GitHub.
Thanks
v-rusraut
commented
4 weeks ago Hi @ish-rafaeldamiani, We are waiting for response from you. Thanks
v-sudkharat
commented
3 weeks ago Hi @ish-rafaeldamiani, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 05-07-2024 date, we will be closing this issue.
Thanks!
v-sudkharat
commented
3 weeks ago Hi @ish-rafaeldamiani, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.
Describe the bug Incidents created in Microsoft Defender will not always have their entities mapped in Sentinel. Entities don't appear on the incident analysis screen or via KQL query.
To Reproduce Steps to reproduce the behavior:
Expected behavior The entities (user, ip, host, etc.) will be displayed in all incidents.
Screenshots Prints of incidents without entities and executing the query by clicking on the System Alert ID link
Additional context As shown in the prints, some incidents originating from Defender are sent via data connector without the entities. Even running a query searching for the title or system alert id, the information is not found.