This field is meant to hold specific versions the are more fine-grained than OSFamily, or future values not supported by OSFamily enumeration.ĭetermines whether this host belongs to a domain. The OMS agent ID, if the host has OMS agent installed.Ī free-text representation of the operating system. The Azure resource ID of the VM, if known. The IoT Device entity (if this host represents an IoT Device). Should contain the complete DNS suffix for the domain, if known. The DNS domain that this host belongs to. If the Account entity is defined using the Name identifier, and the Name value of a particular entity is one of the following generic, commonly built-in account names, then that entity will be dropped from its alert. Name + Host (if NTDomain is a builtin domain, for example "Workgroup").Name + NTDomain (unless NTDomain is a builtin domain, for example "Workgroup").Sid (except for SIDs of builtin accounts).Sid + Host (required for SIDs of builtin accounts).The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by Active Directory. The Azure AD account object ID, if known.ĭetermines whether this is a domain account. The account security identifier, such as S-1-5-18. The host which contains the account, if it's a local account. In some cases this is also the domain name. The user principal name suffix for the account. The NETBIOS domain name as it appears in the alert format – domain\username. Not part of schema, included for backward compatibility with old version of entity mapping. This field should hold only the name without any domain added to it. These externally linked entities can't be used as identifiers for the purpose of entity mapping, but they are very useful in giving a complete picture of entities on entity pages and the investigation graph.Ī question mark following the value in the Type column indicates the field is nullable. You'll notice that many of these schemas include links to other entity types-for example, the User account schema includes a link to the Host entity type, since one attribute of a user account is the host it's defined on.
#Microsoft office account sniffer full#
The following section contains a more in-depth look at the full schemas of each entity type. This correlation in turn allows Microsoft Sentinel to provide more comprehensive insights for a given entity. The use of multiple strong identifiers enables correlation between strong identifiers from varying data sources and schemas. You can use up to three identifiers for a single entity mapping.įor best results-for guaranteed unique identification-you should use identifiers from the strongest identifiers column whenever possible. The more identifiers used, the greater the likelihood of unique identification. However, a required identifier might not, by itself, be sufficient to provide unique identification. These attributes appear in the Identifiers drop-down list in the entity mapping section of the analytics rule wizard.Įach one of the identifiers in the required identifiers column is necessary to identify its entity. The following table shows the entity types currently available for mapping in Microsoft Sentinel, and the attributes available as identifiers for each entity type. In this article Entity types and identifiers
0 kommentar(er)
