Can Sentinel tell which network WAP my endpoint devices are connected to?

Iron Contributor

Hi,

I am not familiar with Sentinel.

 

Can it tell me which network Wireless Access Point that all the endpoint devices are connected to in real time?

 

My context is a large enterprise environment with mixed network vendors and equipment.

Since Sentinel can aggerate, maybe I could bring all the WAPs and Endpoint devices in?

 

Best regards,

Cheers,

2 Replies

@wangjueliang everyone starts somewhere :smile:

 

short answer is yes to your question, Sentinel can correlate all the data you require and show which endpoints are connected to which WAPs in and around your environment

 

it's all a matter of ingesting logs from the devices you have and there are several pathways to do that

 

Check out this link below for data ingestion pathways into Sentinel for this

 

Microsoft Sentinel data connectors | Microsoft Learn

Best practices for data collection in Microsoft Sentinel | Microsoft Learn

Custom data ingestion and transformation in Microsoft Sentinel | Microsoft Learn

You could create a playbook, that gets triggered when an alert that you are interested in pops up.

Within the playbook you can extract the IP address from the alert‘s entities and use it to perform a KQL query in the table that holds your AP logs and search for a connection event or something like that.

Then create an update incident action and tag that incident with the AP‘s name or something.