Email/Phone Indicators in Account Entity Types

Question

Email/Phone Indicators in Account Entity Types

Venkat Rambatla 1

Hi There,

As Sentinel supports only four entity types -

Account 2. IP 3. Host 4. URL

Can we use Email or Phone Number in the logs and map it to Account Entity Type?

Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-18T18:32:20.917+00:00

@Venkat Rambatla Which logs you are trying use in the Mapping rule - Security event logs, event logs, audit logs or some other log ? Is Email/Phone fields are available in the logs ? If yes, any of the columns available through the logs to available entity types.
Venkat Rambatla 1 Reputation point

2020-08-19T08:13:21.743+00:00

Hi Saurabh,

Thanks for the Reply.

So basically what it means we can map email/phone/zipcode values provided from the logs to any supported entity types in the sentinel.

is it OK to map Phone Number/Zip Code to Account Entity?
Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-19T19:46:16.783+00:00

@Venkat Rambatla I believe so but I noticed that not all columns from security event logs are appearing on Account dropdown on Analytic Rule mapping page on Azure portal.

I will confirm this with the product team but from which logs you are getting the phone number and zip code ?

1 answer

Your answer

Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-18T18:32:20.917+00:00

@Venkat Rambatla Which logs you are trying use in the Mapping rule - Security event logs, event logs, audit logs or some other log ? Is Email/Phone fields are available in the logs ? If yes, any of the columns available through the logs to available entity types.
Venkat Rambatla 1 Reputation point

2020-08-19T08:13:21.743+00:00

Hi Saurabh,

Thanks for the Reply.

So basically what it means we can map email/phone/zipcode values provided from the logs to any supported entity types in the sentinel.

is it OK to map Phone Number/Zip Code to Account Entity?
Saurabh Sharma 23,851 Reputation points Microsoft Employee Moderator

2020-08-19T19:46:16.783+00:00

@Venkat Rambatla I believe so but I noticed that not all columns from security event logs are appearing on Account dropdown on Analytic Rule mapping page on Azure portal.

I will confirm this with the product team but from which logs you are getting the phone number and zip code ?

Answer 1

Saurabh Sharma 23,851 Microsoft Employee Moderator

@Venkat Rambatla I have received confirmation on your ask and here is correction to my previous comment -
You can indeed use the account to hold the email since it is a valid account name - however, not zip code and phone number.
The product team is also aware of limitation of not showing all columns under different entity types (Account, IP, Host and URL) and currently working on an improvement that would allow using a wide range of entity types.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2020-08-25T22:56:16.797+00:00

@Venkat Rambatla
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?

----------

If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.

Share via

Email/Phone Indicators in Account Entity Types

1 answer

Your answer