Nov 06 2023 04:25 AM
Hi, I use the Microsoft 365 Defender data connector to forward security incidents to Sentinel.
The incident contains a lot of entities like host/username and process information.
I need the local ip address from the host (type IP) - how can I add this entity every time I get an incident?
Jan
Dec 08 2023 12:24 PM - edited Dec 08 2023 12:25 PM
Hey @SledgeLive
Theres a few ways you could approach this
You could run a playbook over your incidents to inject the IP into your alert as an entity
Create a custom analytic based on the original for your use case and add in the IP
Unfortunately there's no way to surface custom entities from generated alerts / incidents from Defender into Sentinel....yet