Just noticed that in the rule
"Azure Excessive Signin Logs by Azure Identity" it seems impossible to display the field
azure.signinlogs.identity, which is not very user friendly and a waste of time to lookup afterwards..
So 2 questions?
- Why can't we display
azure.signinlogs.identity in the signal overview?
- Why is
azure.signinlogs.identity not copied to
user.name in the azure.signin pipeline?
Unmapped fields in an alerts index, (e.g.
.siem-signals-default) are not displayed in the
Detection alerts table, as shown in the screenshot above, until one of the following actions is taken:
Of the two options above, adding a runtime field is preferable, because it doesn't require re-indexing.
To that end, we opened:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.