NRT Authentication Methods Changed for VIP Users

M Nurohmat 100 Reputation points
2023-07-20T08:42:48.9833333+00:00

Cannot created new rule for NRT Authentication Methods Changed for VIP Users

Screenshot 2023-06-02 at 4 15 07 AM

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,222 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 35,296 Reputation points Microsoft Employee
    2023-07-20T16:41:03.0733333+00:00

    @M Nurohmat Thank you for reaching out to us, similar issue has been discussed here - https://github.com/Azure/Azure-Sentinel/issues/8187 request you to check the steps, if it helps to resolve the above mentioned issue, also i am checking the same with my team internally as well.


1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,871 Reputation points Microsoft Employee
    2023-07-20T12:26:34.7+00:00

    Try running your watchlist query standalone to isolate the issue. It seems that is does not like "User Principal Name" for some reason. You could try using summary instead or maybe this the search key to ensure all VIP records in the watchlist are unique. You could try renaming the column first with a project if the spaces are somehow the issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.