cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Entities missing in Incidents

Sidra_Raza
Brass Contributor

‎Sep 07 2023 03:53 AM - edited ‎Oct 03 2023 04:33 AM

‎Sep 07 2023 03:53 AM - edited ‎Oct 03 2023 04:33 AM

Entities missing in Incidents

Hello,

Entities are not showing on any of the incidents in Sentinel. Although, I have mapped the entities correctly for each alert. 

Sidra_Raza_0-1694083844880.png

 

I have the same alerts and entities mapping on other tenant and it shows entities there. What could be the issue?

 

Update: I raised the support ticket to microsoft.

Issue has been resolved by Microsoft. It was a misconfiguration from the backend.

 

Labels:
3,040 Views
0 Likes
10 Replies
Reply
10 Replies
eliekarkafy

‎Sep 07 2023 04:13 AM

‎Sep 07 2023 04:13 AM

Re: Entities missing in Incidents

@Sidra_Raza Hi , can you check in your sentinel settings if the below settings is enabled 

Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel | Mic...

 

eliekarkafy_0-1694085162829.png

 

0 Likes
Reply
Sidra_Raza

‎Sep 07 2023 08:24 AM

‎Sep 07 2023 08:24 AM

Re: Entities missing in Incidents

It's enabled already but no luck.
0 Likes
Reply
eliekarkafy

‎Sep 07 2023 09:27 AM

‎Sep 07 2023 09:27 AM

Re: Entities missing in Incidents

@Sidra_Raza for this analytic rule the entity mapping should look like the below 

eliekarkafy_0-1694104025275.png

 

0 Likes
Reply
CruzAz

‎Sep 08 2023 02:59 PM

‎Sep 08 2023 02:59 PM

Re: Entities missing in Incidents

Hi Sidra, this sounds like an issue we had last year with the old queries. I would first, make sure that you are using the latest version of the analytic rule. If you are not, it may be related to this: https://learn.microsoft.com/en-us/azure/sentinel/whats-new#account-enrichment-fields-removed-from-az...
0 Likes
Reply
Sidra_Raza

‎Sep 08 2023 10:54 PM

‎Sep 08 2023 10:54 PM

Re: Entities missing in Incidents

I did the same mappings
0 Likes
Reply
samikroy

‎Sep 11 2023 04:16 AM

‎Sep 11 2023 04:16 AM

Re: Entities missing in Incidents

Could you please revisit the same incidents after some time as the Entity mapping takes a while to populate.
0 Likes
Reply
Sidra_Raza

‎Sep 11 2023 11:42 PM

‎Sep 11 2023 11:42 PM

Re: Entities missing in Incidents

It's been more than 10 days when I did the mapping of entities.
0 Likes
Reply
Htnahsin2025

‎Sep 12 2023 10:57 AM

‎Sep 12 2023 10:57 AM

Re: Entities missing in Incidents

Following this thread since we are facing a similar issues with few analytics .
1 Like
Reply
TheHoff70

‎Jan 02 2024 02:56 AM

‎Jan 02 2024 02:56 AM

Re: Entities missing in Incidents

I'm following/bumping this because we have the same thing, sort of. Sentinel can stop parsing entities for 1-2 hours and then suddenly start again. Playbooks and automation rules get proper data from the incidents but no entities are displayed in the incident.
0 Likes
Reply
uday_Kalvapalli

‎Apr 11 2024 11:53 PM

‎Apr 11 2024 11:53 PM

Re: Entities missing in Incidents

Please share me ticket numner.
0 Likes
Reply