Classify and analyze data using entities in Azure Sentinel
What are entities?
When alerts are sent to or generated by Azure Sentinel, they contain data items that Sentinel can recognize and classify into categories as entities. When Azure Sentinel understands what kind of entity a particular data item represents, it knows the right questions to ask about it, and it can then compare insights about that item across the full range of data sources, and easily track it and refer to it throughout the entire Sentinel experience - analytics, investigation, remediation, hunting, and so on. Some common examples of entities are users, hosts, files, processes, IP addresses, and URLs.
Azure Sentinel supports a wide variety of entity types. Each type has its own unique attributes, including some that can be used to identify a particular entity. These attributes are represented as fields in the entity, and are called identifiers. See the full list of supported entities and their identifiers below.
Strong and weak identifiers
As noted just above, for each type of entity there are fields, or sets of fields, that can identify it. These fields or sets of fields can be referred to as strong identifiers if they can uniquely identify an entity without any ambiguity, or as weak identifiers if they can identify an entity under some circumstances, but are not guaranteed to uniquely identify an entity in all cases. In many cases, though, a selection of weak identifiers can be combined to produce a strong identifier.
For example, user accounts can be identified as account entities in more than one way: using a single strong identifer like an Azure AD account's numeric identifier (the GUID field), or its User Principal Name (UPN) value, or alternatively, using a combination of weak identifiers like its Name and NTDomain fields. Different data sources can identify the same user in different ways. Whenever Azure Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently.
If, however, one of your resource providers creates an alert in which an entity is not sufficiently identified - for example, using only a single weak identifier like a user name without the domain name context - then the user entity cannot be merged with other instances of the same user account. Those other instances would be identified as a separate entity, and those two entities would remain separate instead of unified.
In order to minimize the risk of this happening, you should verify that all of your alert providers properly identify the entities in the alerts they produce. Additionally, synchronizing user account entities with Azure Active Directory may create a unifying directory, which will be able to merge user account entities.
The following types of entities are currently identified in Azure Sentinel:
- User account
- IP address
- Cloud application
- Domain name
- Azure resource
- File hash
- Registry key
- Registry value
- Security group
- IoT device
- Mail cluster
- Mail message
- Submission mail
You can view these entities' identifiers and other relevant information in the entities reference.
How does Azure Sentinel recognize a piece of data in an alert as identifying an entity?
Let's look at how data processing is done in Azure Sentinel. Data is ingested from various sources through connectors, whether service-to-service, agent-based, or using a syslog service and a log forwarder. The data is stored in tables in your Log Analytics workspace. These tables are then queried at regularly scheduled intervals by the analytics rules you have defined and enabled. One of the many actions taken by these analytics rules is the mapping of data fields in the tables to Azure Sentinel-recognized entities. According to mappings you define in your analytics rules, Azure Sentinel will take fields from the results returned by your query, recognize them by the identifiers you specified for each entity type, and apply to them the entity type identified by those identifiers.
What's the point of all this?
When Azure Sentinel is able to identify entities in alerts from different types of data sources, and especially if it can do so using strong identifiers common to each data source or to a third schema, it can then easily correlate between all of these alerts and data sources. These correlations help build a rich store of information and insights on the entities, giving you a solid foundation for your security operations.
Learn how to map data fields to entities.
When you encounter any entity (currently limited to users and hosts) in a search, an alert, or an investigation, you can select the entity and be taken to an entity page, a datasheet full of useful information about that entity. The types of information you will find on this page include basic facts about the entity, a timeline of notable events related to this entity and insights about the entity's behavior.
Entity pages consist of three parts:
The left-side panel contains the entity's identifying information, collected from data sources like Azure Active Directory, Azure Monitor, Azure Security Center, and Microsoft Defender.
The center panel shows a graphical and textual timeline of notable events related to the entity, such as alerts, bookmarks, and activities. Activities are aggregations of notable events from Log Analytics. The queries that detect those activities are developed by Microsoft security research teams.
The right-side panel presents behavioral insights on the entity. These insights help to quickly identify anomalies and security threats. The insights are developed by Microsoft security research teams, and are based on anomaly detection models.
The timeline is a major part of the entity page's contribution to behavior analytics in Azure Sentinel. It presents a story about entity-related events, helping you understand the entity's activity within a specific time frame.
You can choose the time range from among several preset options (such as last 24 hours), or set it to any custom-defined time frame. Additionally, you can set filters that limit the information in the timeline to specific types of events or alerts.
The following types of items are included in the timeline:
Alerts - any alerts in which the entity is defined as a mapped entity. Note that if your organization has created custom alerts using analytics rules, you should make sure that the rules' entity mapping is done properly.
Bookmarks - any bookmarks that include the specific entity shown on the page.
Activities - aggregation of notable events relating to the entity.
Entity insights are queries defined by Microsoft security researchers to help your analysts investigate more efficiently and effectively. The insights are presented as part of the entity page, and provide valuable security information on hosts and users, in the form of tabular data and charts. Having the information here means you don't have to detour to Log Analytics. The insights include data regarding sign-ins, group additions, anomalous events and more, and include advanced ML algorithms to detect anomalous behavior.
The insights are based on the following data sources:
- Syslog (Linux)
- SecurityEvent (Windows)
- AuditLogs (Azure AD)
- SigninLogs (Azure AD)
- OfficeActivity (Office 365)
- BehaviorAnalytics (Azure Sentinel UEBA)
- Heartbeat (Azure Monitor Agent)
- CommonSecurityLog (Azure Sentinel)
How to use entity pages
Entity pages are designed to be part of multiple usage scenarios, and can be accessed from incident management, the investigation graph, bookmarks, or directly from the entity search page under Entity behavior analytics in the Azure Sentinel main menu.
In this document, you learned about working with entities in Azure Sentinel. For practical guidance on implementation, and to use the insights you've gained, see the following articles: