What’s new: IP entity page

Published 05-12-2021 05:55 AM 1,045 Views
Microsoft

Introducing the IP entity page

 

Now in preview, the IP entity page is the latest addition to Azure Sentinel's User and Entity Behavior Analytics capabilities.  Like the host and account pages, the IP page helps analysts quickly triage and investigate security incidents.

 

The IP page aggregates information from multiple Microsoft and 3rd party data sources. This page provides contextual information and insights like geolocation information, threat indicator data, network session data and IP-to-host mappings.

 

IP RSA Blog 1.png

 

Geolocation information

 

Geolocation is often used to assess the security relevance of an IP address.  We provide geolocation enrichment data from the Microsoft Threat Intelligence service. This service combines data from Microsoft solutions with 3rd party vendors and partners. It will soon be available via REST API for security investigation scenarios to Azure Sentinel customers.

 

IP RSA Blog 2.png

 

Remote connections and threat indicator data

 

Understanding which endpoints an IP address has been connecting to is a key task in investigating IP related security incidents. The IP page summarizes this information from Azure Monitor, Microsoft Defender for Endpoints (MDE), CommonSecurityLog and other data sources. 

 

IP RSA Blog 3.png

 

The IP page also makes discovering connections to malicious endpoints easy. It compares remote session endpoints to IP Indicators of Compromises (IoCs) provided by Microsoft and by any threat intelligence source for which there is an enabled data connector.

 

By clicking on “See all connections” you can drill into the details in Log Analytics, so that you can review the data yourself and bookmark important connections.

 

IP-to-host mappings

 

Like the host and account entities, you can search for individual IP addresses using the Entity Analytics search experience.  We take this a step further by enabling you to search for hosts using IP-to-host mappings.

 

IP RSA Blog 4.png

 

We also provide a summary of all IP-to-host mappings on each IP entity page. The first seen / last seen information enables you to infer when the IP address was assigned to which machine.

 

IP RSA Blog 5.png

 

IP-to-host mappings are currently generated from Azure Monitor heartbeat data. Let us know which data sources you most prefer, so that we know what to onboard next.

 

IP address log activity

 

The IP entity page also shows when an IP address has first been recorded in an alert or in a set of specific common data sources. This “first seen” information is reported even if the first event aged out due to the Log Analytics retention period.  This is quite helpful when trying to identify when a malicious external IP address was first seen in your environment.

 

Further Reading

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2336326%22%20slang%3D%22en-US%22%3EWhat%E2%80%99s%20new%3A%20IP%20entity%20page%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2336326%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--468725263%22%20id%3D%22toc-hId--468752141%22%3EIntroducing%20the%20IP%20entity%20page%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20in%20preview%2C%20the%20IP%20entity%20page%20is%20the%20latest%20addition%20to%20Azure%20Sentinel's%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-in%2Fazure%2Fsentinel%2Fidentify-threats-with-entity-behavior-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUser%20and%20Entity%20Behavior%20Analytics%3C%2FA%3E%20capabilities.%20%26nbsp%3BLike%20the%20host%20and%20account%20pages%2C%20the%20IP%20page%20helps%20analysts%20quickly%20triage%20and%20investigate%20security%20incidents.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20IP%20page%20aggregates%20information%20from%20multiple%20Microsoft%20and%203rd%20party%20data%20sources.%20This%20page%20provides%20contextual%20information%20and%20insights%20like%20geolocation%20information%2C%20threat%20indicator%20data%2C%20network%20session%20data%20and%20IP-to-host%20mappings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2018787570%22%20id%3D%22toc-hId-2018760692%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22IP%20RSA%20Blog%201.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279153i1ADDFE73A9B003B7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22IP%20RSA%20Blog%201.png%22%20alt%3D%22IP%20RSA%20Blog%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-211333107%22%20id%3D%22toc-hId-211306229%22%3EGeolocation%20information%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGeolocation%20is%20often%20used%20to%20assess%20the%20security%20relevance%20of%20an%20IP%20address.%20%26nbsp%3BWe%20provide%20geolocation%20enrichment%20data%20from%20the%20Microsoft%20Threat%20Intelligence%20service.%20This%20service%20combines%20data%20from%20Microsoft%20solutions%20with%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20vendors%20and%20partners.%20It%20will%20soon%20be%20available%20via%20REST%20API%20for%20security%20investigation%20scenarios%20to%20Azure%20Sentinel%20customers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22IP%20RSA%20Blog%202.png%22%20style%3D%22width%3A%20346px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279154i68079C29645CEE7F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22IP%20RSA%20Blog%202.png%22%20alt%3D%22IP%20RSA%20Blog%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1596121356%22%20id%3D%22toc-hId--1596148234%22%3ERemote%20connections%20and%20threat%20indicator%20data%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnderstanding%20which%20endpoints%20an%20IP%20address%20has%20been%20connecting%20to%20is%20a%20key%20task%20in%20investigating%20IP%20related%20security%20incidents.%20The%20IP%20page%20summarizes%20this%20information%20from%20Azure%20Monitor%2C%20Microsoft%20Defender%20for%20Endpoints%20(MDE)%2C%20CommonSecurityLog%20and%20other%20data%20sources.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22IP%20RSA%20Blog%203.png%22%20style%3D%22width%3A%20451px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279156i079472FA7C77D448%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22IP%20RSA%20Blog%203.png%22%20alt%3D%22IP%20RSA%20Blog%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20IP%20page%20also%20makes%20discovering%20connections%20to%20malicious%20endpoints%20easy.%20It%20compares%20remote%20session%20endpoints%20to%20IP%20Indicators%20of%20Compromises%20(IoCs)%20provided%20by%20Microsoft%20and%20by%20any%20threat%20intelligence%20source%20for%20which%20there%20is%20an%20enabled%20data%20connector.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20clicking%20on%20%E2%80%9CSee%20all%20connections%E2%80%9D%20you%20can%20drill%20into%20the%20details%20in%20Log%20Analytics%2C%20so%20that%20you%20can%20review%20the%20data%20yourself%20and%20bookmark%20important%20connections.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-891391477%22%20id%3D%22toc-hId-891364599%22%3EIP-to-host%20mappings%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELike%20the%20host%20and%20account%20entities%2C%20you%20can%20search%20for%20individual%20IP%20addresses%20using%20the%20Entity%20Analytics%20search%20experience.%26nbsp%3B%20We%20take%20this%20a%20step%20further%20by%20enabling%20you%20to%20search%20for%20hosts%20using%20IP-to-host%20mappings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22IP%20RSA%20Blog%204.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279157i33F1AA84FB13F261%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22IP%20RSA%20Blog%204.png%22%20alt%3D%22IP%20RSA%20Blog%204.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20also%20provide%20a%20summary%20of%20all%20IP-to-host%20mappings%20on%20each%20IP%20entity%20page.%20The%20first%20seen%20%2F%20last%20seen%20information%20enables%20you%20to%20infer%20when%20the%20IP%20address%20was%20assigned%20to%20which%20machine.%3C%2FP%3E%0A%3CP%20class%3D%22PrP-07NumberedList%22%20style%3D%22margin%3A%200in%3B%20text-indent%3A%200in%3B%20line-height%3A%20normal%3B%20tab-stops%3A%20.5in%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22PrP-07NumberedList%22%20style%3D%22margin%3A%200in%3B%20text-indent%3A%200in%3B%20line-height%3A%20normal%3B%20tab-stops%3A%20.5in%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22IP%20RSA%20Blog%205.png%22%20style%3D%22width%3A%20441px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279167i37DB8687686FA114%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22IP%20RSA%20Blog%205.png%22%20alt%3D%22IP%20RSA%20Blog%205.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22PrP-07NumberedList%22%20style%3D%22margin%3A%200in%3B%20text-indent%3A%200in%3B%20line-height%3A%20normal%3B%20tab-stops%3A%20.5in%3B%22%3EIP-to-host%20mappings%20are%20currently%20generated%20from%20Azure%20Monitor%20heartbeat%20data.%20Let%20us%20know%20which%20data%20sources%20you%20most%20prefer%2C%20so%20that%20we%20know%20what%20to%20onboard%20next.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--916062986%22%20id%3D%22toc-hId--916089864%22%3EIP%20address%20log%20activity%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20IP%20entity%20page%20also%20shows%20when%20an%20IP%20address%20has%20first%20been%20recorded%20in%20an%20alert%20or%20in%20a%20set%20of%20specific%20common%20data%20sources.%20This%20%E2%80%9Cfirst%20seen%E2%80%9D%20information%20is%20reported%20even%20if%20the%20first%20event%20aged%20out%20due%20to%20the%20Log%20Analytics%20retention%20period.%26nbsp%3B%20This%20is%20quite%20helpful%20when%20trying%20to%20identify%20when%20a%20malicious%20external%20IP%20address%20was%20first%20seen%20in%20your%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1571449847%22%20id%3D%22toc-hId-1571422969%22%3EFurther%20Reading%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUser%20and%20Entity%20Behavior%20Analytics%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-in%2Fazure%2Fsentinel%2Fidentify-threats-with-entity-behavior-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-in%2Fazure%2Fsentinel%2Fidentify-threats-with-entity-behavior-analytics%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2336326%22%20slang%3D%22en-US%22%3E%3CP%3ENow%20in%20preview%2C%20the%20IP%20entity%20page%20is%20the%20latest%20addition%20to%20Azure%20Sentinel's%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-in%2Fazure%2Fsentinel%2Fidentify-threats-with-entity-behavior-analytics%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EUser%20and%20Entity%20Behavior%20Analytics%3C%2FA%3E%20capabilities.%20%26nbsp%3BLike%20the%20host%20and%20account%20pages%2C%20the%20IP%20page%20helps%20analysts%20quickly%20triage%20and%20investigate%20security%20incidents.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎May 10 2021 01:09 PM
Updated by: