Skip to content

Commit 5be8688

Browse files
ArieHeinyelevin
ArieHein
and
yelevin
authored
Update articles/sentinel/entities.md
 fix spelling Co-authored-by: Yechiel Levin <[email protected]>
1 parent c24c949 commit 5be8688

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

articles/sentinel/entities.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ Microsoft Sentinel supports a wide variety of entity types. Each type has its ow
3232

3333
For each type of entity there are fields, or sets of fields, that can identify particular instances of that entity. These fields or sets of fields can be referred to as **strong identifiers** if they can uniquely identify an entity without any ambiguity, or as **weak identifiers** if they can identify an entity under some circumstances, but are not guaranteed to uniquely identify an entity in all cases. In many cases, though, a selection of weak identifiers can be combined to produce a strong identifier.
3434

35-
For example, user accounts can be identified as **account** entities in more than one way: using a single **strong identifierr** like a Microsoft Entra account's numeric identifier (the **GUID** field), or its **User Principal Name (UPN)** value, or alternatively, using a combination of **weak identifiers** like its **Name** and **NTDomain** fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently
35+
For example, user accounts can be identified as **account** entities in more than one way: using a single **strong identifier** like a Microsoft Entra account's numeric identifier (the **GUID** field), or its **User Principal Name (UPN)** value, or alternatively, using a combination of **weak identifiers** like its **Name** and **NTDomain** fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently.
3636

3737
If, however, one of your resource providers creates an alert in which an entity is not sufficiently identified&mdash;for example, using only a single **weak identifier** like a user name without the domain name context&mdash;then the user entity cannot be merged with other instances of the same user account. Those other instances would be identified as a separate entity, and those two entities would remain separate instead of unified.
3838

0 commit comments

Comments
 (0)