Network Entity
An Entity is a unique identifier on the network. At this time, IP addresses and domains are supported entities. Entities are extracted from the event data and catalogued in their own data store. Contextual information is then added to the entities when applicable such as:
-
First seen / last seen timestamps
-
Associated hostnames and usernames from DNS, DHCP, Kerberos, and NTLM events
-
WHOIS and Registration information
-
VirusTotal intelligence
-
Associated software
Entities observed in your account are stored indefinitely. This allows analysts to determine who is interacting with the network and answer questions such as:
-
Which / how many of my hosts are interacting with this entity?
-
Who is responsible for this entity?
-
What other entities are associated with this entity?
-
What does everyone else know about this entity?
Working with entity information
You can perform an Entity Search (or Lookup) by simply entering an IP address or domain in the Search field at the top navigation menu. An Entity Search is an excellent starting point for an investigation if you have very little information to work with, because the entity record may contain important contextual information. For more information about entity searches, see Entity Lookup
The Entity Panel displays all of the information collected for an entity from both within and outside of the network. You can access the Entity Panel for an entity by left-clicking any entity anywhere in the portal. For more information, see Entity Panel