IP address entity page in Microsoft Defender
The IP address entity page in the Microsoft Defender portal helps you examine possible communication between your devices and external internet protocol (IP) addresses.
Identifying all devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected devices.
You can find information from the following sections in the IP address entity page:
Important
Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
In the left pane, the Overview page provides a summary of IP details (if available).
Section | Details |
---|---|
Security info | |
IP details |
The left side also has a panel showing Log activity (time first seen/last seen, data source) collected from several log sources, and another panel showing a list of logged hosts collected from Azure Monitoring Agent heartbeat tables.
The main body of the Overview page contains dashboard cards showing a count of incidents and alerts (grouped by severity) containing the IP address, and a chart of the prevalence of the IP address in the organization over the indicated time period.
The Incidents and alerts page shows a list of incidents and alerts that include the IP address as part of their story. These incidents and alerts come from any of a number of Microsoft Defender detection sources, including, if onboarded, Microsoft Sentinel. This list is a filtered version of the incidents queue, and shows a short description of the incident or alert, its severity (high, medium, low, informational), its status in the queue (new, in progress, resolved), its classification (not set, false alert, true alert), investigation state, category, who is assigned to address it, and last activity observed.
You can customize which columns are displayed for each item. You can also filter the alerts by severity, status, or any other column in the display.
The impacted assets column refers to all the user, application, and other entities referenced in the incident or alert.
When an incident or alert is selected, a fly-out appears. From this panel you can manage the incident or alert and view more details such as incident/alert number and related devices. Multiple alerts can be selected at a time.
To see a full page view of an incident or alert, select its title.
The Observed in organization section provides a list of devices that have a connection with this IP and the last event details for each device (the list is limited to 100 devices).
If your organization onboarded Microsoft Sentinel to the Defender portal, this additional tab is on the IP address entity page. This tab imports the IP entity page from Microsoft Sentinel.
This timeline shows alerts associated with the IP address entity. These alerts include those seen on the Incidents and alerts tab and those created by Microsoft Sentinel from third-party, non-Microsoft data sources.
This timeline also shows bookmarked hunts from other investigations that reference this IP entity, IP activity events from external data sources, and unusual behaviors detected by Microsoft Sentinel's anomaly rules.
Entity insights are queries defined by Microsoft security researchers to help you investigate more efficiently and effectively. These insights automatically ask the big questions about your IP entity, providing valuable security information in the form of tabular data and charts. The insights include data from various IP threat intelligence sources, network traffic inspection, and more, and include advanced machine learning algorithms to detect anomalous behavior.
The following are some of the insights shown:
- Microsoft Defender Threat Intelligence reputation.
- Virus Total IP Address.
- Recorded Future IP Address.
- Anomali IP Address
- AbuseIPDB.
- Anomalies count by IP address.
- Network traffic inspection.
- IP address remote connections with TI match.
- IP address remote connections.
- This IP has a TI match.
- Watchlist insights (Preview).
The insights are based on the following data sources:
- Syslog (Linux)
- SecurityEvent (Windows)
- AuditLogs (Microsoft Entra ID)
- SigninLogs (Microsoft Entra ID)
- OfficeActivity (Office 365)
- BehaviorAnalytics (Microsoft Sentinel UEBA)
- Heartbeat (Azure Monitor Agent)
- CommonSecurityLog (Microsoft Sentinel)
If you want to further explore any of the insights in this panel, select the link accompanying the insight. The link takes you to the Advanced hunting page, where it displays the query underlying the insight, along with its raw results. You can modify the query or drill down into the results to expand your investigation or just satisfy your curiosity.
Response actions offer shortcuts to analyze, investigate, and defend against threats.
Response actions run along the top of a specific IP entity page and include:
Action | Description |
---|---|
Add indicator | Opens a wizard for you to add this IP address as an Indicator of Compromise (IoC) to your Threat Intelligence knowledgebase. |
Open cloud app IP settings | Opens the IP address ranges configuration screen for you to add the IP address to it. |
Investigate in Activity log | Opens the Microsoft 365 Activity log screen for you to look for the IP address in other logs. |
Go hunt | Opens the Advanced hunting page, with a built-in hunting query to find instances of this IP address. |
- Microsoft Defender XDR overview
- Turn on Microsoft Defender XDR
- Device entity page in Microsoft Defender
- User entity page in Microsoft Defender
- Microsoft Defender XDR integration with Microsoft Sentinel
- Connect Microsoft Sentinel to Microsoft Defender XDR
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.