Sep 26 2022 11:04 AM - edited Sep 26 2022 11:05 AM
I'm trying to use a playbook trigged by an analytics rule to automate sending an approval email for things like a new device being registered to a user or MFA settings being changed. When the playbook is triggered I seem to get inconsistent entity information from the incident, for example sometimes "accountname" only shows first.last and sometimes accountname is the full UPN which is what I want and what's specified in the analytics rule. Because of this the playbook fails later when I try to use the accountname for other things. How can I get this to be consistent?
Sep 26 2022 11:26 AM
Sep 27 2022 03:46 AM - edited Sep 27 2022 03:46 AM
https://learn.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accou...
There is some guidance and Rules for this
Sep 27 2022 08:36 AM
Sep 27 2022 09:01 AM