| title | titleSuffix | description | author | ms.author | ms.topic | ms.date | appliesto | ms.collection | |
|---|---|---|---|---|---|---|---|---|---|
Add entities to threat intelligence |
Microsoft Sentinel |
Learn how to add a malicious entity discovered in an incident investigation to your threat intelligence in Microsoft Sentinel. |
yelevin |
yelevin |
how-to |
3/14/2024 |
|
usx-security |
During an investigation, you examine entities and their context as an important part of understanding the scope and nature of an incident. When you discover an entity as a malicious domain name, URL, file, or IP address in the incident, it should be labeled and tracked as an indicator of compromise (IOC) in your threat intelligence.
For example, you discover an IP address performing port scans across your network, or functioning as a command and control node, sending and/or receiving transmissions from large numbers of nodes in your network.
Microsoft Sentinel allows you to flag these types of entities right from within your incident investigation, and add it to your threat intelligence. You are able to view the added indicators both in Logs and Threat Intelligence, and use them across your Microsoft Sentinel workspace.
The new incident details page gives you another way to add entities to threat intelligence, in addition to the investigation graph. Both ways are shown below.
-
From the Microsoft Sentinel navigation menu, select Incidents.
-
Select an incident to investigate. In the incident details panel, select View full details to open the incident details page.
:::image type="content" source="media/add-entity-to-threat-intelligence/incident-details-overview.png" alt-text="Screenshot of incident details page." lightbox="media/add-entity-to-threat-intelligence/incident-details-overview.png":::
-
Find the entity from the Entities widget that you want to add as a threat indicator. (You can filter the list or enter a search string to help you locate it.)
-
Select the three dots to the right of the entity, and select Add to TI from the pop-up menu.
Only the following types of entities can be added as threat indicators:
- Domain name
- IP address (IPv4 and IPv6)
- URL
- File (hash)
:::image type="content" source="media/add-entity-to-threat-intelligence/entity-actions-from-overview.png" alt-text="Screenshot of adding an entity to threat intelligence.":::
The investigation graph is a visual, intuitive tool that presents connections and patterns and enables your analysts to ask the right questions and follow leads. You can use it to add entities to your threat intelligence indicator lists, making them available across your workspace.
-
From the Microsoft Sentinel navigation menu, select Incidents.
-
Select an incident to investigate. In the incident details panel, select the Actions button and choose Investigate from the pop-up menu. This will open the investigation graph.
:::image type="content" source="media/add-entity-to-threat-intelligence/select-incident-to-investigate.png" alt-text="Screenshot of selecting incident from queue to investigate.":::
-
Select the entity from the graph that you want to add as a threat indicator. A side panel will open on the right. Select Add to TI.
Only the following types of entities can be added as threat indicators:
- Domain name
- IP address (IPv4 and IPv6)
- URL
- File (hash)
:::image type="content" source="media/add-entity-to-threat-intelligence/add-entity-to-ti.png" alt-text="Screenshot of adding entity to threat intelligence.":::
Whichever of the two interfaces you choose, you will end up here:
-
The New indicator side panel will open. The following fields will be populated automatically:
-
Type
- The type of indicator represented by the entity you're adding.
Drop-down with possible values: ipv4-addr, ipv6-addr, URL, file, domain-name - Required; automatically populated based on the entity type.
- The type of indicator represented by the entity you're adding.
-
Value
- The name of this field changes dynamically to the selected indicator type.
- The value of the indicator itself.
- Required; automatically populated by the entity value.
-
Tags
- Free-text tags you can add to the indicator.
- Optional; automatically populated by the incident ID. You can add others.
-
Name
- Name of the indicator—this is what will be displayed in your list of indicators.
- Optional; automatically populated by the incident name.
-
Created by
- Creator of the indicator.
- Optional; automatically populated by the user logged into Microsoft Sentinel.
Fill in the remaining fields accordingly.
-
Threat type
- The threat type represented by the indicator.
- Optional; free text.
-
Description
- Description of the indicator.
- Optional; free text.
-
Revoked
- Revoked status of the indicator. Mark checkbox to revoke the indicator, clear checkbox to make it active.
- Optional; boolean.
-
Confidence
- Score reflecting confidence in the correctness of the data, by percent.
- Optional; integer, 1-100
-
Kill chain
- Phases in the Lockheed Martin Cyber Kill Chain to which the indicator corresponds.
- Optional; free text
-
Valid from
- The time from which this indicator is considered valid.
- Required; date/time
-
Valid until
- The time at which this indicator should no longer be considered valid.
- Optional; date/time
:::image type="content" source="media/add-entity-to-threat-intelligence/new-indicator-panel.png" alt-text="Screenshot of entering information in new threat indicator panel.":::
-
-
When all the fields are filled in to your satisfaction, select Apply. You'll see a confirmation message in the upper-right-hand corner that your indicator was created.
-
The entity will be added as a threat indicator in your workspace. You can find it in the list of indicators in the Threat intelligence page, and also in the ThreatIntelligenceIndicators table in Logs.
In this article, you learned how to add entities to your threat indicator lists. For more information, see: