cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Entities

SledgeLive
Copper Contributor

‎Nov 06 2023 04:25 AM

‎Nov 06 2023 04:25 AM

Entities

Hi, I use the Microsoft 365 Defender data connector to forward security incidents to Sentinel. 
The incident contains a lot of entities like host/username and process information. 
I need the local ip address from the host (type IP)  - how can I add this entity every time I get an incident?

 

Jan

 

340 Views
0 Likes
1 Reply
Reply
1 Reply
BillClarksonAntill

‎Dec 08 2023 12:24 PM - edited ‎Dec 08 2023 12:25 PM

‎Dec 08 2023 12:24 PM - edited ‎Dec 08 2023 12:25 PM

Re: Entities

Hey @SledgeLive 

 

Theres a few ways you could approach this

 

You could run a playbook over your incidents to inject the IP into your alert as an entity

 

Create a custom analytic based on the original for your use case and add in the IP

 

Unfortunately there's no way to surface custom entities from generated alerts / incidents from Defender into Sentinel....yet

 

 

0 Likes
Reply