AZ-500: How Does Entity Mapping Affect Investigation Capabilities in Microsoft Sentinel?

Why Is Microsoft Sentinel Investigation Graph Empty After Creating Custom Analytics Rules?

Master Microsoft Sentinel investigations for your AZ-500 exam by understanding why entity mapping is crucial for populating investigation graphs. Learn how to properly configure entity mappings in custom analytics rules to enable full investigation capabilities with related users, IPs, hosts, and other entities.

Question

You notice that when you attempt to investigate an incident created from your custom rule in Azure Sentinel that the investigation graph is empty. What is the most likely cause?

A. Rule is disabled
B. Permissions (RBAC)
C. Query syntax
D. Entity mapping

Answer

D. Entity mapping

Explanation

The correct answer is D. Entity mapping is the most likely cause of an empty investigation graph. The investigation feature in Microsoft Sentinel requires properly configured entity mappings in the analytics rule to populate the graph with related entities and their relationships.

You’ll only be able to investigate the incident if you used the entity mapping fields when you set up your analytics rule. The investigation graph requires that your original incident includes entities.

Understanding Entity Mapping in Microsoft Sentinel

Entity mapping is a critical configuration step when creating custom analytics rules in Microsoft Sentinel. It tells the system which fields in your query results correspond to specific entity types such as users, IP addresses, hosts, files, or URLs. Without this mapping, Sentinel cannot build the contextual relationships needed for investigation graphs.

How Entity Mapping Enables Investigation Graphs

• Entity Identification: When an alert fires, Sentinel uses the entity mappings to extract and identify the relevant security entities from the query results. For example, mapping a field like SourceIP to the IP address entity type allows Sentinel to recognize this as a network entity.
• Relationship Building: The investigation graph visualizes relationships between entities. If a user account, source IP, and destination host are all properly mapped, Sentinel can show how these entities relate to each other within the context of the incident.
• Timeline Construction: Entity mappings enable Sentinel to build a timeline of activities involving the mapped entities, showing how the security incident developed over time.
• Related Activity Discovery: With proper entity mapping, the investigation feature can automatically discover related activities involving the same entities across different data sources.

Common Entity Types for Mapping

When creating custom analytics rules, you should map relevant fields to these entity types:

• Account: User accounts, service accounts, or any identity-related information
• Host: Computer names, hostnames, or device identifiers
• IP: Source IPs, destination IPs, or any network addresses
• URL: Web addresses or domain names
• File: File names, file hashes, or file paths
• Process: Process names or process IDs

Why Other Options Are Less Likely

Rule is disabled (A): If the rule were disabled, no incidents would be created at all, so this wouldn’t explain an empty investigation graph for an existing incident.

Permissions (RBAC) (B): RBAC issues would typically prevent access to the investigation feature entirely, not just result in an empty graph.

Query syntax (C): Query syntax errors would prevent the analytics rule from running successfully and creating incidents, rather than creating incidents with empty investigation graphs.

Best Practice for Entity Mapping

When creating custom analytics rules, always identify which entities are relevant to your detection scenario and map the corresponding fields in your query results. Even if your primary goal is detection, proper entity mapping significantly enhances the incident response capabilities by enabling rich investigation experiences for your security analysts.

Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.