Evidence and entity investigation is a critical component of incident response in Microsoft Security Operations. This process involves systematically analyzing artifacts, indicators of compromise (IOC), and related entities to understand the full scope of a security incident.
In Microsoft Sentinel…Evidence and entity investigation is a critical component of incident response in Microsoft Security Operations. This process involves systematically analyzing artifacts, indicators of compromise (IOC), and related entities to understand the full scope of a security incident.
In Microsoft Sentinel and Microsoft 365 Defender, security analysts perform evidence investigation by examining alerts, examining associated data, and correlating information across multiple sources. The investigation typically begins with an initial alert or incident that triggers further analysis.
Key aspects of evidence investigation include:
1. **Entity Analysis**: Entities are objects like user accounts, IP addresses, hosts, files, and URLs that appear in security data. Microsoft Sentinel provides entity pages that consolidate all relevant information about a specific entity, showing its activity timeline, related alerts, and behavioral patterns.
2. **Investigation Graph**: Microsoft Sentinel offers an investigation graph that visually maps relationships between entities and alerts. Analysts can expand nodes to discover connected entities and trace attack paths through the environment.
3. **Timeline Analysis**: Reviewing the chronological sequence of events helps analysts understand how an attack progressed and identify the initial entry point.
4. **Bookmarks**: During investigation, analysts can bookmark important findings for later reference and include them in incident documentation.
5. **Entity Behavior Analytics**: UEBA capabilities help identify anomalous behavior by comparing current entity activities against established baselines.
6. **Threat Intelligence Integration**: Analysts cross-reference indicators with threat intelligence feeds to identify known malicious actors or campaigns.
7. **Data Enrichment**: Additional context from external sources enhances understanding of entities and evidence.
The goal is to determine the attack vector, affected systems, compromised accounts, and data exposure. This thorough investigation enables appropriate containment, eradication, and recovery actions while supporting post-incident reporting and lessons learned documentation.
Perform Evidence and Entity Investigation
Why is Evidence and Entity Investigation Important?
Evidence and entity investigation is a critical skill for Security Operations Analysts because it enables them to understand the full scope of security incidents. When a threat is detected, analysts must trace the attack chain, identify compromised assets, and determine the extent of the breach. This process helps organizations contain threats faster, prevent lateral movement, and improve their overall security posture.
What is Evidence and Entity Investigation?
Evidence and entity investigation involves examining various data points and objects related to a security incident in Microsoft Sentinel and Microsoft 365 Defender. Entities are objects like users, hosts, IP addresses, files, and processes that appear in security alerts. Evidence refers to the artifacts and logs that support the investigation, such as email messages, registry keys, and network connections.
Key entities include: - User accounts - Azure AD and on-premises accounts - Hosts/Devices - Computers and servers - IP addresses - Source and destination IPs - Files - Executables, scripts, and documents - Processes - Running applications and services - Mailboxes - Email accounts and messages - URLs - Web addresses accessed
How Does It Work?
In Microsoft Sentinel: - Entity pages provide comprehensive information about specific entities - The investigation graph visualizes relationships between entities - Entity behavior analytics (UEBA) identifies anomalous activities - Bookmarks allow analysts to save important evidence for later review - Timeline views show entity activity over time
In Microsoft 365 Defender: - The evidence tab in incidents shows all related artifacts - Device timelines display detailed activity logs - Advanced hunting queries help find additional evidence - The alert story provides context about detected threats - Automated investigation collects and analyzes evidence
Investigation Workflow: 1. Review the incident and associated alerts 2. Examine entity pages for affected users and devices 3. Use the investigation graph to explore relationships 4. Run hunting queries to find additional artifacts 5. Add bookmarks to preserve critical evidence 6. Document findings and determine remediation actions
Exam Tips: Answering Questions on Perform Evidence and Entity Investigation
Understand the tools: Know the difference between Microsoft Sentinel entity pages and Microsoft 365 Defender evidence tabs. Questions often ask which tool to use for specific scenarios.
Know entity types: Be familiar with all entity types (user, host, IP, file, URL, mailbox, process) and what information each entity page contains.
Investigation graph mastery: Understand how to use the investigation graph to explore connections between entities. Know that you can expand nodes to discover related entities.
UEBA knowledge: Questions may ask about User and Entity Behavior Analytics. Know that UEBA uses machine learning to detect anomalies based on baseline behavior.
Bookmarks purpose: Remember that bookmarks preserve evidence and can be added to incidents for documentation and reporting purposes.
Timeline analysis: Understand that device timelines in Defender show chronological activity, which is essential for reconstructing attack sequences.
Advanced hunting: Know basic KQL queries for finding evidence. Questions may present scenarios requiring you to identify the correct query approach.
Scenario-based questions: When presented with an incident scenario, focus on identifying which entities need investigation first based on the alert type and potential impact.
Remediation actions: Understand what remediation actions are available for different entity types, such as isolating devices, disabling accounts, or blocking files.