dicolanl
commented
4 years ago @alexverboon investigating
Closed alexverboon closed 4 years ago
dicolanl
commented
4 years ago @alexverboon investigating
dicolanl
commented
4 years ago @lior-tamir
@alexverboon: Can you please share an example (screenshots please) of an alert/incident where one of these fields is shown in investigation, but not in the entity inside the alert?
dicolanl
commented
4 years ago @alexverboon bump
Describe the bug As per the documentation here: https://docs.microsoft.com/en-us/connectors/azuresentinel/#account, the Get-Accounts Action should return the following entities list within the response body
https://docs.microsoft.com/en-us/connectors/azuresentinel/#batchresponseaccount Name NTDomain UPNSuffix Sid AadTenantId AadUserId IsDomainJoined
However, I only get the following information back, see example below:
"$id": "4", "Name": "AdeleV", "UPNSuffix": "avmtplab.onmicrosoft.com", "IsDomainJoined": true, "Type": "account"
For my specific use case, I need the user's AadUserId, within the Azure Sentinel console, when invistigating the incident, this information is shown for the user, so the information is available within the system, but it looks like the Get-Account action doesn't pull all data.
To Reproduce Logic app has the following steps:
Expected behavior The Get-Accounts action should return all properties as described here: https://docs.microsoft.com/en-us/connectors/azuresentinel/#batchresponseaccount