Azure Sentinel Incident Field Mapping

Karlie01
Tera Contributor

Hi all,

 

I have installed Microsoft Azure Sentinel Incident Ingestion Integration For Security Operations.

 

I have mapped the ${Account: properties(accountName)}$ from the Account Entity Fields to the Affected user within the Azure Sentinel Incident Profile.

 

The accountName is listed as an Employee number but I need this as a Name. I have attempted this within the Azure Sentinel Field Translation but it's not populating the Name.  

 

var user = new GlideRecord('sys_user');

user.addQuery('employee_number', sourceValue);

user.query();

 

while (user.next()) {

 

    destinationValue = user.sys_id;

 

}

 

Any help would be much appreciated.

5 REPLIES 5

vamshi krishna4
Giga Guru

Hi @Karlie01 ,

Got any solution for this?

 

Karlie01
Tera Contributor

Hi Vamshi,

 

No unfortunately not.

 

 

vamshi krishna4
Giga Guru

@Karlie01 have you configured anything if we are getting multiple account entities for affected user?

 

Karlie01
Tera Contributor

No the examples that I was provided only contained one account entry, but this would need to be considered.