In Microsoft Sentinel, entities are fundamental components that help security analysts classify and analyze data effectively during threat detection and investigation. Entities represent identifiable objects within your security data, such as user accounts, IP addresses, hosts, files, URLs, and pro…In Microsoft Sentinel, entities are fundamental components that help security analysts classify and analyze data effectively during threat detection and investigation. Entities represent identifiable objects within your security data, such as user accounts, IP addresses, hosts, files, URLs, and processes. Understanding how to work with entities is crucial for the Security Operations Analyst role.
Entity classification involves categorizing security events based on the type of objects involved. Microsoft Sentinel automatically extracts and maps entities from ingested data using entity mapping in analytics rules. When you create or modify an analytics rule, you define which fields in your data correspond to specific entity types. For example, you might map a username field to an Account entity or an IP address field to an IP entity.
Once entities are properly classified, analysis becomes more powerful. Entity behavior analytics (UEBA) in Microsoft Sentinel builds behavioral profiles for entities across time and peer groups. This allows the system to identify anomalous activities that might indicate compromise. For instance, if a user account suddenly accesses resources at unusual hours or from unexpected locations, UEBA can flag this deviation.
Entities also enable investigation capabilities through the entity pages and investigation graph. When an incident occurs, analysts can click on any entity to view its complete activity history, related alerts, and timeline of events. The investigation graph visually displays relationships between entities, helping analysts understand attack chains and lateral movement patterns.
Additionally, entities support threat intelligence matching. When you import threat indicators, Sentinel automatically correlates them against entity data in your environment, generating alerts when matches occur. Watchlists can also be created to monitor specific entities of interest, such as high-value assets or terminated employee accounts. Proper entity classification ensures accurate correlation and reduces false positives in your security operations workflow.
Classify and Analyze Data Using Entities
Why It Is Important
Understanding how to classify and analyze data using entities is crucial for security operations analysts because it enables efficient threat detection and investigation. Entities represent real-world objects like user accounts, IP addresses, hosts, and files that appear in security data. By properly classifying and analyzing these entities, analysts can identify patterns, detect anomalies, and correlate related security events across different data sources. This capability is fundamental to Microsoft Sentinel and other Microsoft security tools, making it essential knowledge for the SC-200 exam.
What Are Entities?
Entities are identifiable objects extracted from security alerts and events in Microsoft Sentinel. Common entity types include:
• Account - User accounts, service accounts, or system accounts • Host - Computers, servers, or devices on the network • IP Address - IPv4 or IPv6 addresses involved in security events • URL - Web addresses associated with potential threats • File - Files including their names, hashes, and paths • Mailbox - Email mailboxes involved in phishing or compromise • Process - Running processes on endpoints • Registry Key - Windows registry entries
How Entity Classification Works
Microsoft Sentinel uses entity mapping in analytics rules to extract and classify entities from raw log data. When creating or modifying analytics rules, you define which fields in your data correspond to specific entity types. For example:
1. Entity mapping configuration - You specify which columns in your query results map to entity properties 2. Entity identification - Sentinel extracts these values and creates entity objects 3. Entity enrichment - Additional context is added from threat intelligence and other sources 4. Entity correlation - Related entities are linked across multiple alerts and incidents
How to Analyze Entities
Analysts use several tools and techniques to analyze entities:
• Entity Pages - Dedicated pages in Sentinel showing all information about a specific entity • Entity Behavior Analytics (UEBA) - Machine learning-based analysis of entity behavior patterns • Investigation Graph - Visual representation of relationships between entities in an incident • Bookmarks - Saving specific query results with entity information for later analysis • Threat Intelligence Matching - Comparing entities against known indicators of compromise
User and Entity Behavior Analytics (UEBA)
UEBA is a powerful feature that builds baseline behavioral profiles for entities. It can detect:
• Anomalous account activities • Unusual access patterns • Lateral movement attempts • Privilege escalation activities • Data exfiltration behaviors
UEBA requires specific data connectors to be enabled, including Azure Active Directory and security event logs.
Exam Tips: Answering Questions on Classify and Analyze Data Using Entities
1. Know the entity types - Memorize the common entity types (Account, Host, IP, URL, File, Mailbox) and understand what data each represents
2. Understand entity mapping - Questions often ask about configuring entity mapping in analytics rules. Remember that you map query result columns to entity properties
3. UEBA prerequisites - Know that UEBA requires Azure AD connector and appropriate data sources to function properly
4. Investigation Graph usage - Understand that the Investigation Graph visualizes entity relationships and is used for incident investigation
5. Entity pages vs Entity behavior - Distinguish between static entity information (Entity Pages) and behavioral analysis (UEBA)
6. Focus on practical scenarios - Exam questions often present scenarios asking which entity type to use or how to configure entity mapping for specific detection goals
7. Remember enrichment sources - Entities can be enriched with threat intelligence, watchlists, and external data sources
8. Correlation across incidents - Understand that entities help correlate multiple alerts into single incidents when the same entity appears in different alerts
9. Bookmarks and hunting - Know that bookmarks preserve entity information during threat hunting sessions for later incident creation
10. Practice KQL queries - Be comfortable with KQL queries that extract and analyze entity data from Sentinel tables like SecurityEvent and SigninLogs