Classify and analyze data using entities in Microsoft Sentinel

When alerts are sent to or generated by Microsoft Sentinel, they contain data items that Sentinel can recognize and classify into categories as entities. When Microsoft Sentinel understands what kind of entity a particular data item represents, it knows the right questions to ask about it, and it can then compare insights about that item across the full range of data sources, and easily track it and refer to it throughout the entire Sentinel experience - analytics, investigation, remediation, hunting, and so on. Some common examples of entities are users, hosts, files, processes, IP addresses, and URLs.

Entity identifiers

Microsoft Sentinel supports a wide variety of entity types. Each type has its own unique attributes, including some that can be used to identify a particular entity. These attributes are represented as fields in the entity, and are called identifiers. See the full list of supported entities and their identifiers below.

Strong and weak identifiers

As noted just above, for each type of entity there are fields, or sets of fields, that can identify it. These fields or sets of fields can be referred to as strong identifiers if they can uniquely identify an entity without any ambiguity, or as weak identifiers if they can identify an entity under some circumstances, but are not guaranteed to uniquely identify an entity in all cases. In many cases, though, a selection of weak identifiers can be combined to produce a strong identifier.

For example, user accounts can be identified as account entities in more than one way: using a single strong identifer like an Azure AD account's numeric identifier (the GUID field), or its User Principal Name (UPN) value, or alternatively, using a combination of weak identifiers like its Name and NTDomain fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently.

If, however, one of your resource providers creates an alert in which an entity is not sufficiently identified - for example, using only a single weak identifier like a user name without the domain name context - then the user entity cannot be merged with other instances of the same user account. Those other instances would be identified as a separate entity, and those two entities would remain separate instead of unified.

In order to minimize the risk of this happening, you should verify that all of your alert providers properly identify the entities in the alerts they produce. Additionally, synchronizing user account entities with Azure Active Directory may create a unifying directory, which will be able to merge user account entities.

Supported entities

The following types of entities are currently identified in Microsoft Sentinel:

  • User account
  • Host
  • IP address
  • Malware
  • File
  • Process
  • Cloud application
  • Domain name
  • Azure resource
  • File hash
  • Registry key
  • Registry value
  • Security group
  • URL
  • IoT device
  • Mailbox
  • Mail cluster
  • Mail message
  • Submission mail

You can view these entities' identifiers and other relevant information in the entities reference.

Entity mapping

How does Microsoft Sentinel recognize a piece of data in an alert as identifying an entity?

Let's look at how data processing is done in Microsoft Sentinel. Data is ingested from various sources through connectors, whether service-to-service, agent-based, or using a syslog service and a log forwarder. The data is stored in tables in your Log Analytics workspace. These tables are then queried at regularly scheduled intervals by the analytics rules you have defined and enabled. One of the many actions taken by these analytics rules is the mapping of data fields in the tables to Microsoft Sentinel-recognized entities. According to mappings you define in your analytics rules, Microsoft Sentinel will take fields from the results returned by your query, recognize them by the identifiers you specified for each entity type, and apply to them the entity type identified by those identifiers.

What's the point of all this?

When Microsoft Sentinel is able to identify entities in alerts from different types of data sources, and especially if it can do so using strong identifiers common to each data source or to a third schema, it can then easily correlate between all of these alerts and data sources. These correlations help build a rich store of information and insights on the entities, giving you a solid foundation for your security operations.

Learn how to map data fields to entities.

Learn which identifiers strongly identify an entity.

Entity pages

Information about entity pages can now be found at Investigate entities with entity pages in Microsoft Sentinel.

Next steps

In this document, you learned about working with entities in Microsoft Sentinel. For practical guidance on implementation, and to use the insights you've gained, see the following articles: