What Changed
The Incident-Trigger-Entity-Analyzer playbook in the SentinelSOARessentials solution received significant enhancements to improve user entity resolution reliability. The update addresses a critical gap where the playbook previously only used AadUserId for user identification, causing silent failures when incidents contained user entities with different identifier formats.
Security Impact (Visibility & Fidelity)
Previous Gap: Deployments using the earlier version experienced silent failures in user entity analysis when incident entities provided user identifiers in formats other than AadUserId (objectGuid, UPN variations, Name+UPNSuffix combinations). This resulted in incomplete incident enrichment and missed security intelligence for affected user entities.
Resolution: The updated logic now implements a robust fallback mechanism using coalesce() across multiple identifier types:
- objectGuid
- aadUserId
- UPN (both case variations)
- Name+UPNSuffix combinations
When no valid user identifier is found, the playbook now adds an explicit skip comment to the incident, providing visibility into entities that could not be analyzed rather than failing silently.
Operational Changes
- Metadata Updates: Extended description clarifies intelligent user identifier detection capabilities
- Logic App Tagging: Added Sentinel template metadata for improved deployment tracking
- Error Handling: Explicit skip comments when user identification fails
- API Standardization: Consistent lowercase azuresentinel connection naming
Affected Files
Solutions/SentinelSOARessentials/Playbooks/Incident-Trigger-Entity-Analyzer/azuredeploy.json
(packaging artefacts: 3.0.8.zip, Solution_SentinelSOAREssentials.json, mainTemplate.json)