Forum Discussion

SledgeLive's avatar
SledgeLive
Copper Contributor
Nov 06, 2023

Entities

Hi, I use the Microsoft 365 Defender data connector to forward security incidents to Sentinel. 
The incident contains a lot of entities like host/username and process information. 
I need the local ip address from the host (type IP)  - how can I add this entity every time I get an incident?

 

Jan

 

  • Hey SledgeLive 

     

    Theres a few ways you could approach this

     

    You could run a playbook over your incidents to inject the IP into your alert as an entity

     

    Create a custom analytic based on the original for your use case and add in the IP

     

    Unfortunately there's no way to surface custom entities from generated alerts / incidents from Defender into Sentinel....yet

     

     

Resources