You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/add-entity-to-threat-intelligence.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,19 +14,19 @@ ms.collection: usx-security
14
14
15
15
# Add entities to threat intelligence in Microsoft Sentinel
16
16
17
-
During an investigation, you examine entities and their context as an important part of understanding the scope and nature of an incident. When you discover an entity as a malicious domain name, URL, file, or IP address in the incident, it should be labeled and tracked as an indicator of compromise in your threat intelligence.
17
+
During an investigation, you examine entities and their context as an important part of understanding the scope and nature of an incident. When you discover an entity as a malicious domain name, URL, file, or IP address in the incident, it should be labeled and tracked as an indicator of compromise (IOC) in your threat intelligence.
18
18
19
-
For example, you might discover an IP address that performs port scans across your network or functions as a command and control node by sending and receiving transmissions from large numbers of nodes in your network.
19
+
For example, you might discover an IP address that performs port scans across your network or functions as a command and control node by sending and/or receiving transmissions from large numbers of nodes in your network.
20
20
21
21
With Microsoft Sentinel, you can flag these types of entities from within your incident investigation and add them to your threat intelligence. You can view the added indicators in **Logs** and **Threat Intelligence** and use them across your Microsoft Sentinel workspace.
22
22
23
23
## Add an entity to your threat intelligence
24
24
25
-
The [new Incident details page](investigate-incidents.md) and the investigation graph give you two ways to add entities to threat intelligence. Both ways are shown here.
25
+
The [Incident details page](investigate-incidents.md) and the investigation graph give you two ways to add entities to threat intelligence. Both ways are shown here.
26
26
27
27
# [Incident details page](#tab/incidents)
28
28
29
-
1. On the Microsoft Sentinel menu, select **Incidents**.
29
+
1. On the Microsoft Sentinel menu, select **Incidents** from the **Threat management** section.
30
30
31
31
1. Select an incident to investigate. On the **Incident details** pane, select **View full details** to open the **Incident details** page.
32
32
@@ -49,7 +49,7 @@ The [new Incident details page](investigate-incidents.md) and the investigation
49
49
50
50
The [investigation graph](investigate-cases.md) is a visual, intuitive tool that presents connections and patterns and enables your analysts to ask the right questions and follow leads. Use it to add entities to your threat intelligence indicator lists by making them available across your workspace.
51
51
52
-
1. On the Microsoft Sentinel menu, select **Incidents**.
52
+
1. On the Microsoft Sentinel menu, select **Incidents** from the **Threat management** section.
53
53
54
54
1. Select an incident to investigate. On the **Incident details** pane, select **Actions**, and choose **Investigate** from the pop-up menu to open the investigation graph.
0 commit comments