Azure Sentinel Enhanced Entity Mapping and Custom Event Parameter Details Now in Public Preview

As if you need something else to do on a Monday morning after Ignite 2021 and a scramble to get on-premises Exchange servers under control

Today, the enhanced Entity mapping and Custom event parameters capability is in public preview.

Alert enhancement

I’m not going to go into great detail in this blog post – but only to alert you to the existence of this. I’ll follow up about using these new features soon.

Entity mapping

Map up to five entities recognized by Azure Sentinel from the appropriate fields available in your query results. This enables Azure Sentinel to recognize and classify the data in these fields for further analysis. For each entity, you can define up to three identifiers, which are attributes of the entity that help identify the entity as unique.

Unlike the previous version of entity mapping, the mappings defined below do not appear in the query code. Any mapping you define below will replace not only its parallel old mapping in the query code, but any mappings defined in the query code – though they still appear, they will be disregarded when the query runs.

Adding a new Entity type…

Add new custom entity

Custom details

Here you can surface particular event parameters and their values in alerts that comprise those events, by adding key-value pairs below. In the Key field, enter a name of your choosing that will appear as the field name in alerts. In the Value field, choose the event parameter you wish to surface in the alerts from the drop-down list.


Have fun!


[Want to discuss this further? Hit me up on Twitter or LinkedIn]


Leave a Reply