Blog Post

Microsoft Sentinel Blog
2 MIN READ

What’s new: customize entity page timeline!

Itay Argoety's avatar
Itay Argoety
Icon for Microsoft rankMicrosoft
Jun 02, 2021

Azure Sentinel's User and Entity Behavior Analytics provide various capabilities – from resolving different user identifiers into one user account, enriching the data, triggering anomalies, and providing entity pages for the SecOps analyst to support the investigation.

 

The entity page aggregates information from various data sources about that specific entity, providing contextual information and insights to help the SecOps analyst to decide whether it’s compromised or not.

 

Many customers ingest data into Azure Monitor custom tables. This data often contains useful information such as VPN data, internal application data, data sent by Logstash, and so on. You may also want to surface specific Windows events in the entity page that have significance in your environment.

 

Azure Sentinel can now correlate data from any table to a specific entity, and that data will surface in the entity page.

 

Our goal – surface the data that you find important to your organization in the entity page, helping SecOps to reduce time for investigation and remediation.

 

 

Spoiler
Sentinel provides some OOTB activities (KQL query) for your convenience. You can use them/modify them or create new one yourself.

 

 

How do I use this dark magic?

 

We’ve created an easy-to-follow Wizard (pun intended) for creating entity activities.

 

You can access it via the Entity Behavior blade -> Customize entity page

 

 

Microsoft provide several OOTB activities for users and host (with IP coming soon). Create a new activity by selecting Add activity, and then follow the wizard to create your custom activity:

 

  1. Select the name and description of the entity you’re creating.
  2. Select the type of entity you want to create an activity for (account or host).
  3. (Optional) Optimize your query as needed by selecting additional filter parameters.

 

Spoiler

[You can project up to 10 columns in the KQL query, and TimeGenerated is mandatory. You can also use each column as a parameter in the activity title using the following syntax ‘{{ParamName}}’

 

  • Write the KQL query to fetch the data. Make sure you’re using strong identifiers when possible. For more information, see Writing the activity query.
  • Write the activity title, which is how the activity is presented in the timeline. There are several built-in parameters to use, as described in Presenting the activity in the timeline.

 

 

 

 

  • In the Review & create area, make sure the activity validation checks out.

 

And that’s it! You can now go to the entity page and see that activity.

 

 

Spoiler
You can even filter the timeline view in the entity page to view only activities, and to view a specific activity.

 

 

 

We Value Your Opinion!

Our goal is to make your life easier while you investigate security incidents. If you have any feedback – about the experience, the wizard, the queries – or anything else,

Please let us know! We aim to improve 😊

 

 

Further Reading

 

 

Updated Nov 03, 2021
Version 2.0
  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    How can this be automated for deployment across many tenants?