This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Mapping alerts correctly

Posted a week ago
MikelSA
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi, How are you doing?

I've been having problems with the mapping for this 

MikelSA_0-1746191263936.png

It is supposed to come from AzureAD IdentityProtection, but at the moment i cant get to map any Entities Highlights for Default, only the IP.

The name of the user comes in the "aaduserid" variable, but I want the alert to show the user's email address or display name as an entity โ€” something more useful.

Any solutions? I came with the solution to do some KQL querys, get the json, en enricht the entities, but im sure that im missing something.

Thanks!

Solved Solved
0 2 55
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

This can be done in a few ways, but here is my first impression

The entity should be mapped to a UID/programmatic name (like email, or FQ), as this is what Actions work on. 

To get more interesting information you "add enrichment" that pulls additional fields from the ingested Alert and adds as sub attributes:
Cases > Alert > Events tab > Event > gear symbol > Mapping > Entity type > three dots > Add Enrichment
This way makes full use of the great info that comes in the original packet

To show this data, focus on the Entities highlights' widget, click 'View Details' and Add to highlight

SoarAndy_0-1746194521442.png

 

Alternatively you can use playbook logic to enrich usernames to get more 'friendly' info (display name, managers name etc).  This would be in the vendor predefined widget you add to the playbook view.

HTH Andy

 

 

 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

This can be done in a few ways, but here is my first impression

The entity should be mapped to a UID/programmatic name (like email, or FQ), as this is what Actions work on. 

To get more interesting information you "add enrichment" that pulls additional fields from the ingested Alert and adds as sub attributes:
Cases > Alert > Events tab > Event > gear symbol > Mapping > Entity type > three dots > Add Enrichment
This way makes full use of the great info that comes in the original packet

To show this data, focus on the Entities highlights' widget, click 'View Details' and Add to highlight

SoarAndy_0-1746194521442.png

 

Alternatively you can use playbook logic to enrich usernames to get more 'friendly' info (display name, managers name etc).  This would be in the vendor predefined widget you add to the playbook view.

HTH Andy

 

 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
MikelSA
Bronze 3
Bronze 3
In response to SoarAndy
Reply posted on --/--/---- --:-- AM

Perfect, thank you. Got it!

Jump to Solution
0 Likes
Top Solution Authors
View all