Threat attacks are on a constant rise like never before and Security Operation Center (SOC) analysts need quick ways to triage through their incidents and take relevant actions. During the investigation of an incident, entities and their context are an important part of understanding the scope and nature of the incident. Some of these entities can be surfaced as indicators of compromise (IOC’s) for matching with future event logs.
Today we would like to announce the “Add entity to TI from the investigation graph” feature. With this feature, analysts can now add an entity (of type IP, URL, Domain and Filehash) to their threat intelligence repository of Microsoft Sentinel from the investigation graph without leaving their current context of the investigation graph, thus reducing Mean Time To Respond (MTTR) and avoiding context switching while investigating the incident.
The indicator will then be added to your threat intelligence repository in Microsoft Sentinel so they can be used for future matching with event data using analytics, hunting, workbooks, playbooks etc.
Adding an entity to TI from Investigation graph
You can simply add an entity to TI from the investigation graph by clicking the entity node and clicking on the “Add to TI” button from the right-side context pane. Microsoft Sentinel pre-populates some of the fields in the “Add new indicator” pane. For a detailed list of fields in the Add new indicator pane and possible values refer to the documentation here. Once you add the entity by clicking the “Apply” button, the indicator is added to the ThreatIntelligenceIndicators table of Log Analytics and shows up in the “Threat Intelligence” blade of Microsoft Sentinel as well.
Conclusion
Hopefully, this article will help you in achieving a more seamless triage process for your incidents and will make your workflow easy by reducing the Mean Time To respond (MTTR). Very soon we will have the capability to add entities to TI from other experiences in Microsoft Sentinel like incidents, hunting etc.
Microsoft
