Table of Contents
Microsoft 365 Defender provides a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. Within this suite, entities play a critical role. Here are some common entity types:
The first step in classifying and analyzing entity data is to collect and normalize the data. Microsoft security solutions, such as Microsoft Defender for Endpoint, collate data related to entities into a structured format that can be easily analyzed.
Data Source | Entity Type | Information Collected |
---|---|---|
Microsoft Defender for ID | User, Host | Identity data, Logon activity |
Azure AD Identity Protection | User | Risk events, Sign-in logs |
Microsoft Defender for Endpoint | Host, File, Process | Endpoint alerts, File paths |
Microsoft Cloud App Security | User, IP | App usage, Data access |
Behavior analytics involves the creation of a baseline of normal behavior for each entity. Anomalies are then identified by comparing current data with the baseline.
For example, a user entity typically accesses the company resources during specific hours. If there is a login attempt during an unusual hour or from a geographically improbable location, this flagged event will be an anomaly that requires further investigation.
Using the entity data, threat detection algorithms hunt for signs of known attack patterns, such as lateral movements, credential dumping, or data exfiltration attempts. For instance, multiple failed login attempts from a single IP address entity may indicate a brute force attack.
Security analysts can use tools provided by Microsoft, such as Microsoft Sentinel. Sentinel allows for setting up custom alert rules based on entity behaviors, correlating entity data with threat intelligence feeds, and creating automated responses to detected threats.
Once suspicious activity is identified, the entity data can be used for detailed investigations. Analysts can visualize entity relationships and interactions using tools like the Microsoft 365 security center, which provides in-depth analysis and detailed timelines of entity-related activities.
For instance, a file entity suspected of being malware can be investigated by examining its creation, modification, the process that created the file, and any network connections it attempted to establish.
The final step is continuously improving the classification and analysis of entities by incorporating feedback from investigations and updates to threat intelligence. This ensures that entity behavior analytics remain accurate and that threat detection methods evolve to keep pace with the changing threat landscape.
For SC-200 Microsoft Security Operations Analyst exam candidates, understanding how to classify and analyze data by using entities is paramount. It enhances the ability to detect, investigate, and mitigate threats effectively. Real-world examples of entity analysis not only reinforce the concepts but also provide practical insights into the daily responsibilities of a Security Operations Analyst. By mastering entity classification and analysis, candidates will be well-equipped to add value to their organizations’ security operations centers.
Entity behavior analytics examines user and entity behavior patterns to identify anomalies that may indicate a security risk or breach.
Entities in the context of security operations include any object that can be identified and tracked, such as IP addresses, user accounts, and host machines.
Answer: A, B, C
Email addresses, network traffic, and threat indicators can all be classified and analyzed as part of security operations. Software patches are not entities but rather actions taken to secure entities.
Answer: A
The User entity page in Microsoft 365 Defender provides a comprehensive overview of the user’s behavior and related alerts.
Microsoft Sentinel allows users to create custom entities by enriching data or creating custom schemas for data ingested into the platform.
Answer: C
Risk detections in Azure AD Identity Protection classify potential risks discovered by machine learning algorithms that detect anomalies and known attack patterns.
Entities can come from both structured data like database tables and unstructured data sources such as email content or free-text logs.
Answer: D
A host entity can represent any computing platform, including physical servers, laptops, desktop computers, and virtual machines.
While it is possible to define custom correlation rules, Microsoft Sentinel provides built-in analytics and machine learning capabilities that can automatically correlate and analyze entity behavior.
Answer: C
Automated investigations in Microsoft Threat Protection may investigate user accounts that exhibit signs of compromise as part of its AIR capabilities.
If this material is helpful, please leave a comment and support us to continue.