Taking Entity Investigation to the Next Level: Microsoft Sentinel’s Upgraded Entity Pages


Entities such as users, devices, or cloud resources are the cornerstone of security investigations. These entities form the core of the cyber ecosystem, with every incident stemming from their interactions. The entity pages in Microsoft Sentinel offer invaluable insights into these interactions, enabling your security teams to delve deeper into the data and understand the dynamics that lead to security incidents.

By giving you access to detailed entity data via the entity pages and side panels, we facilitate a deeper exploration of incidents, allowing for a more targeted and effective response. We're excited to announce that we're taking this a step further with the public preview of an upgraded version of our account, host, IP and Azure resource entity pages.

Enriched Incident Context with Full Entity Data

The heart of this update lies in our commitment to providing comprehensive, accessible security information. We've enhanced the entity information available in our Incident Page, integrating a rich context that will aid your investigations. This integration allowing your security team to quickly understand and react to incidents.

Latency Reduction for a Smoother Experience

In the world of , speed is of the essence. That's why we have enhanced our system to reduce latency. This improvement ensures a smoother and faster user experience, allowing your team to swiftly access and process information, keeping you one step ahead of potential threats.

Enhanced Security Details for Account Page

Building on our mission to provide a user-friendly and comprehensive security experience, we've introduced much-awaited improvements to our account page. You'll now find additional security-oriented details such as:

  • Account status
  • Account type and source
  • Account creation time
  • Scope of account impact (Blast Radius)
  • Watchlists
  • Security group membership
  • status (soon)

These insights, now resectioned into intuitive categories, are designed to enhance your account investigation experience. This improved structure aids in providing a deeper understanding of potential risks and threats, facilitating a more streamlined and effective analysis.

Revamped Timeline UI

Keeping track of security incidents and their evolution over time is a critical aspect of effective threat management. To enhance this experience, we've revamped the timeline UI to offer detailed insights into alerts, anomalies, bookmarks, and activities. One of the notable upgrades is the new ability to run playbooks on alerts directly from the timeline, allowing for an immediate and streamlined response.

The improved UX makes navigating through the entity history even more straightforward.  We've also introduced new, intuitively placed filters to assist with efficient pattern identification and understanding the timeline of events. These enhancements contribute to a smoother process and enable a more insightful and effective analysis.

Below is a screenshot of the updated account page. Areas that are either completely new or significantly revamped have been highlighted with red rectangles for easy identification:

User page with highlighted new.png

 New Entity Action: Adding IP to TI 

The ability to add an IP directly to your (TI) is now possible with our latest update. This new entity action significantly bolsters your response strategy against threats, providing an additional layer of protection for your systems.

Integrated Investigative Experience

To further streamline your investigative process, we've embedded the Log Analytics window as part of this update. This feature aims to provide a more contextual and integrated experience, placing critical information at your fingertips, thereby facilitating faster decision-making.

Below is a screenshot of the updated IP page. The in-context Log Analytics window, as well as the newly added ‘Add to TI' action, have been highlighted with red rectangles for your easy reference:

IP page finally fixed.png


This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.