Important Changes in the New Entity Mapping Feature for Azure Sentinel

Called out in the Notes section for the new version of Entity Mapping for Azure Sentinel, there’s some tidbits of good and important information you should all be aware of. I’ve had several questions around this recently and a lot of times there’s nothing better than the good, old docs.

I’m going to expose the important pieces here in this blog with my own emphasis, but it comes from the following link (which will always be your most current source of information):

Map data fields to Azure Sentinel entities | Microsoft Docs

From the text:

  • If you had previously defined entity mappings for this analytics rule using the old version, those mappings appear in the query code. Entity mappings defined under the new version DO NOT APPEAR IN THE QUERY CODE. Analytics rules CAN ONLY SUPPORT ONE VERSION OF ENTITY MAPPINGS AT A TIME, and the NEW VERSION TAKES PRECEDENCE. Therefore, any single mapping you define here will cause any and all mappings defined in the query code to be disregarded when the query runs.
  • IF YOU STILL NEED TO USE THE OLD VERSION of entity mapping (as long as the new version is still in preview), you can still access it using a FEATURE FLAG IN THE URL. Place your cursor between and #blade, and insert the text ?feature.EntityMapping=false.
    • The limits of the old version will continue to apply. You can map only the user, host, IP address, URL, and file hash entities, and only one of each. (Mappings: AccountCustomEntity, IPCustomEntity, HostCustomEntity, and URLCustomEntity)
  • YOU MUST REMOVE ANY ENTITY MAPPINGS created using the new version before you return to the old version, otherwise any entity mappings that use the old version will not work.
  • ONCE THE NEW VERSION OF ENTITY MAPPING IS IN GENERAL AVAILABILITY, it will no longer be possible to use the old version. It is highly recommended that you migrate your old entity mappings to the new version.

Hopefully this helps someone.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]