Intermittent missing entity mappings for Microsoft Entra ID Protection incidents #9820
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @Kaloszer ,Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 01-02-2024. Thanks! |
|
This is also an issue for me. I find entity mappings rarely pull through from the alert providers portal. It's super frustrating, especially when there are no options to do any sort of any mapping in the alert source provider or seemingly attempt to fix it ourselves. We also need these entities mapped for automation. Maybe a slightly separate issue I have is that sometimes entities are mapped, but key information in the JSON is missing. For example a host may be mapped from DfE but it is missing the field mdatpDeviceId, which is critical in most response actions API calls. |
|
Hi @stripesoc Wil check on the issue and get back to you |
|
Hi @Kaloszer ,I am unable to replicate the issue as don't have sufficient privileges at tenant level, Could you please share convenient time slots for a team's meeting to this email (v-muuppugund@microsoft.com) |
|
@v-muuppugund - it would be hard to replicate because you need to have that particular type of incident and it be 'fresh', so not sure if that would be possible to replicate that easy. Case in point it's not an isolated issue as @stripesoc also experiences it. I will try to find some time the following week/2 |
|
@Kaloszer noted ,please keep me updated on this ,so we can connect over teams meeting. |
|
@Kaloszer / @stripesoc ,Gentle reminder,Could you please share convenient time slots for a teams meeting to email i.e. (v-muuppugund@microsoft.com) |
|
@Kaloszer / @stripesoc ,Gentle reminder,Could you please share convenient time slots for a teams meeting to email i.e. (v-muuppugund@microsoft.com) |
|
Sorry, no time. |
I would think that's the same issue here, if the entities are missing in one 'instance' of the blade and your Logic App/Func gets the trigger from that instance you would be missing that data in the JSON as that entity would not be in there. That's pretty much the same case as with missing Ip/UPN then. |
|
@v-muuppugund I do have some time today/tommorow - if you have some time that we can follow up on this issue drop me a meeting invite (8AM-4PM CET) - I think 15-30 minutes would be enough to explain what the issue is. |
|
Hi @Kaloszer, Thank you for your response. Could you please share your mail id with us on below ID, so we can schedule a call with you to procced further on this. Thanks! |
I FW'd the github notification to you. You should get my email from there :) // EDIT - it failed 😮💨
----- Transcript of session follows -----
My email is sebastian.wiszowaty@softwareone.com |
|
@Kaloszer, Received your mail. Thanks! |
|
@Kaloszer ,Asked for convenient time slots for teams meeting for this issue over an email,Could you please share,Thanks |
|
@Kaloszer ,As discussed yesterday over team's call, unable to replicate the issue with detailed steps, will reach the team shared by you for further troubleshooting. |
|
@stripesoc - would you be able to share information to @v-muuppugund with the incidents that had this behaviour? I guess the standard subId/tenant/workspace + incident number. When I get the same I will share similar info. |
|
Hi @Kaloszer ,As discussed over teams last call,as we are unable to replicate the issue,asked me to reach the other team members,so reached them over email for further details. |
|
Hi @Kaloszer ,Still waiting from team from team on issue replication steps,send gentle reminder over email |
3 similar comments
|
Hi @Kaloszer ,Still waiting from team from team on issue replication steps,send gentle reminder over email |
|
Hi @Kaloszer ,Still waiting from team from team on issue replication steps,send gentle reminder over email |
|
Hi @Kaloszer ,Still waiting from team from team on issue replication steps,send gentle reminder over email |
|
Hey @v-muuppugund - I've talked to my colleagues and they haven't seen it occur in quite a while now, so I think we should feel safe to close this for now. If it happens I'll reopen this one with the aforementioned information. |
Describe the bug
Incidents that are created from
Microsoft Entra ID Protectionwill not always have their entities mapped unless you refresh the incident page a few times, or the other way around. Initially viewing the incident the entities are there, but when you refresh, they are gone.To Reproduce
Steps to reproduce the behavior:
2 cases occur - either a):
b)
Expected behavior
Entities are always mapped if they're available
Screenshots
Eg.:
Before refresh:
After refresh:
Additional context
For automations this causes issues because we use the entities to parse information about the user and send additional information. So when information gets sent it's null because there's no entities when they are actually there.
The text was updated successfully, but these errors were encountered: