Microsoft Entra ID Entity Analytics vs Azure

Hello,

I been leveraging Azure Logs - Audit Logs to collect Azure AD data.
This is have been alright but I wanted to test out the Microsoft Entra ID Entity Analytics, wondering if others' experience with the latter integration.

Hello,

W've been using it and it's awesome for a lot of reasons.

Something you need to be aware of, is the different timestamps. Depending on the dataview you create the data can visualise in total different ways, because it takes the ingest timestamp vs the asset created timestamp vs the asset last signin timestamp.

There is definitely room for improvement. Some examples:

  • I was hoping we could use this data to enrich other datasets which only contains the user id and not the user name. But to achieve that, a transform needs to be added and an enrich index. Imho this should have come out of the box.
  • The host.name field is not lowercase fqdn. So I had to add a custom ingest pipeline which lowercases the host.name and append our domain. That way we can correlate with other datasets which contain lowercase fqdn.
  • It only contains Entra ID devices, not Intune data. Hopefully Elastic will release an Intune Entity Analyticvs dataset soon.

  • What we kind of need is an easy! way to compare datasets. I'm having a hard time to compare the Entra ID Device dataset with other datasets, so we can detect, for example, which hosts are missing a certain agent.

WillemD

1 Like

Thanks!
Yeah I don't like how the Microsoft hides information, we had a similar issue with subscriptions only showing up as subscription.id which didn't help that much until we enriched it using an ingest pipeline.

1 Like