Entity mapping issue - Anomalous Single Factor Signin - Cloud Applicaton

[MikeP324]

Describe the bug
The analytic rule "Anomalous Single Factor Signin" (https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousSingleFactorSignin.yaml) version 1.0.4 is unable map AppId and AppDisplayName from SignInLogs table belonging to Entra ID. Sentinel fails to map the required entities.

It has been pointed out in case #2408070050003611 that AppId is an Int and the data in Entra ID logs is a GUID plus the field is deprecated, see https://learn.microsoft.com/en-us/azure/sentinel/entities-reference#cloud-application for more information.

Documentation talks about a new field SaasId which is not available in Sentinel yet (waiting on PG to fix) but when it is available it will be an Int field.

The Int identifiers can be found here - https://learn.microsoft.com/en-us/azure/sentinel/entities-reference#cloud-application-identifiers

To Reproduce
Steps to reproduce the behavior:

1. Generate a Anomalous Single Factor Signin event against Entra ID example mobile device using Microsoft Authentication Broker.
2. Review the Entra ID logs for that event.
3. See the AppId field is a GUID and not an Int.
4. Confirm if Sentinel generates an incident for the analytic rule and the event data.
5. Confirm the reported entities for the incident.

Expected behavior
The Cloud Application name should be reported as an entity.

[v-rusraut]

Hi @MikeP324 Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 05-09-2024. Thanks!

[MikeP324]

@v-rusraut - Do you have any update for me please?

[v-rusraut]

Hi @MikeP324,
We are working with respective team, we will update you.
Thanks