You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/map-data-fields-to-entities.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,23 +38,24 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
38
38
39
39
1. Select an **identifier** for the entity. Identifiers are attributes of an entity that can sufficiently identify it. Choose one from the **Identifier** drop-down list, and then choose a data field from the **Value** drop-down list that will correspond to the identifier. With some exceptions, the **Value** list is populated by the data fields in the table defined as the subject of the rule query.
40
40
41
-
You can define **up to three identifiers** for a given entity. Some identifiers are required, others are optional. You must choose at least one required identifier. If you don't, a warning message will instruct you which identifiers are required. For best results - for maximum unique identification - you should use **strong identifiers** whenever possible, and using multiple strong identifiers will enable greater correlation between data sources. See the full list of available [entities and identifiers](entities-reference.md).
41
+
You can define **up to three identifiers** for a given entity mapping. Some identifiers are required, others are optional. You must choose at least one required identifier. If you don't, a warning message will instruct you which identifiers are required. For best results—for maximum unique identification—you should use **strong identifiers** whenever possible, and using multiple strong identifiers will enable greater correlation between data sources. See the full list of available [entities and identifiers](entities-reference.md).
42
42
43
43
:::image type="content" source="media/map-data-fields-to-entities/map-entities.png" alt-text="Map fields to entities":::
44
44
45
-
1.Click**Add new entity** to map more entities. You can map**up to five entities** in a single analytics rule. You can also map more than one of the same type. For example, you can map two **IP** entities, one from a *source IP address* field and one from a *destination IP address* field. This way you can track them both.
45
+
1.Select**Add new entity** to map more entities. You can define**up to ten entity mappings** in a single analytics rule. You can also map more than one of the same type. For example, you can map two **IP** entities, one from a *source IP address* field and one from a *destination IP address* field. This way you can track them both.
46
46
47
47
If you change your mind, or if you made a mistake, you can remove an entity mapping by clicking the trash can icon next to the entity drop-down list.
48
48
49
49
1. When you have finished mapping entities, click the **Review and create** tab. Once the rule validation is successful, click **Save**.
50
50
51
51
> [!NOTE]
52
-
> -**Each mapped entity can identify *up to ten entities***.
53
-
> - If an alert contains more than ten items that correspond to a single entity mapping, only the first ten will be recognized as entities and be able to be analyzed as such.
54
-
> - This limitation applies to actual mappings, not to entity types. So if you have three different mapped entities for IP addresses (say, source, destination, and gateway), each of those mappings can accommodate ten entities.
52
+
> -***Up to 500 entities collectively* can be identified in a single alert, divided equally across all entity mappings defined in the rule**.
53
+
> - For example, if two entity mappings are defined in the rule, each mapping can identify up to 250 entities; if five mappings are defined, each one can identify 100 entities, and so on.
54
+
> - Multiple mappings of a single entity type (say, source IP and destination IP) each count separately.
55
+
> - If an alert contains items in excess of this limit, those excess items will not be recognized and extracted as entities. Because of the internal logic of the entity extraction engine, ...
55
56
>
56
-
> -**The size limit for an entire alert is *64 KB***.
57
-
> -Alerts that grow larger than 64 KB will be truncated. As entities are identified, they are added to the alert one by one until the alert size reaches 64 KB, and any remaining entities are dropped from the alert.
57
+
> -**The size limit for the entire*entities* field of an alert is *64 KB***.
58
+
> -*Entities* fields that grow larger than 64 KB will be truncated. As entities are identified, they are added to the alert one by one until the field size reaches 64 KB, and any entities yet unidentified are dropped from the alert.
58
59
59
60
## Notes on the new version
60
61
@@ -68,3 +69,4 @@ In this document, you learned how to map data fields to entities in Microsoft Se
68
69
69
70
- Get the complete picture on [scheduled query analytics rules](detect-threats-custom.md).
70
71
- Learn more about [entities in Microsoft Sentinel](entities.md).
0 commit comments