NRT Authentication Methods Changed for VIP Users

M Nurohmat 100 Reputation points
2023-07-20T08:42:48.9833333+00:00

Cannot created new rule for NRT Authentication Methods Changed for VIP Users

Screenshot 2023-06-02 at 4 15 07 AM

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
934 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 25,761 Reputation points Microsoft Employee
    2023-07-20T16:41:03.0733333+00:00

    @M Nurohmat Thank you for reaching out to us, similar issue has been discussed here - https://github.com/Azure/Azure-Sentinel/issues/8187 request you to check the steps, if it helps to resolve the above mentioned issue, also i am checking the same with my team internally as well.


1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,461 Reputation points Microsoft Employee
    2023-07-20T12:26:34.7+00:00

    Try running your watchlist query standalone to isolate the issue. It seems that is does not like "User Principal Name" for some reason. You could try using summary instead or maybe this the search key to ensure all VIP records in the watchlist are unique. You could try renaming the column first with a project if the spaces are somehow the issue.

    0 comments No comments