Broken Entity Mapping in Azure Active Directory rule template

[goosvorbook]

Describe the bug
One of the "Azure Active Directory" Analytic rules from the Content hub have a mismatch on their entity mapping.

Rule:
"Successful logon from IP and failure from a different IP"
Does not actually contain name and UPNSuffix

To Reproduce
Steps to reproduce the behavior:

1. Install Analytic Rule
2. Open the entity mapping
3. Check if the value actually exists
4. See error

Expected behavior
Full entity mapping with the correct fields, e.g. Name and UPNSuffix, this requires a rewrite of the KQL to actually contain the Name and UPNSuffix

Screenshots

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-sudkharat]

Hi @goosvorbook, thanks for flagging this issue, we will soon get back to you on this. Thanks!

[v-sudkharat]

Hi @goosvorbook, we are looking into this issue, please can you add below shared KQL query while create an analytic rule and let us know if it works for you.

| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])

Sharing the steps and screenshot for reference.

1. While create analytic rule click on Set rule logic
   

2. Add the above query after- union isfuzzy=true aadSignin, aadNonInt.
   

3. Select the "Name" and "UPNSuffix" in the dropdown and processed further to create rule.

Thanks.

[goosvorbook]

Yes that will work

[v-sudkharat]

Hello @goosvorbook, please can you let us know the above shared steps are work for you? Thanks

[goosvorbook]

yes they did

[v-sudkharat]

@goosvorbook, Thanks for sharing the update, we will raise the PR with the changes. can we close this issue? please let us know if you need any further assistance. Thanks