You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Documentation talks about a new field SaasId which is not available in Sentinel yet (waiting on PG to fix) but when it is available it will be an Int field.
Describe the bug
The analytic rule "Anomalous Single Factor Signin" (https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousSingleFactorSignin.yaml) version 1.0.4 is unable map AppId and AppDisplayName from SignInLogs table belonging to Entra ID. Sentinel fails to map the required entities.
It has been pointed out in case #2408070050003611 that AppId is an Int and the data in Entra ID logs is a GUID plus the field is deprecated, see https://learn.microsoft.com/en-us/azure/sentinel/entities-reference#cloud-application for more information.
Documentation talks about a new field SaasId which is not available in Sentinel yet (waiting on PG to fix) but when it is available it will be an Int field.
The Int identifiers can be found here - https://learn.microsoft.com/en-us/azure/sentinel/entities-reference#cloud-application-identifiers
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The Cloud Application name should be reported as an entity.
The text was updated successfully, but these errors were encountered: