Entity Guard Investigator Agent

Entity Guard Investigator Agent is a Security Copilot agent designed to investigate and enrich all entities associated with security incidents across Microsoft Defender XDR and Microsoft Sentinel.

The agent helps SOC analysts understand users, devices, IP addresses, URLs, domains, file hashes, files, and other entities involved in an incident. Instead of only summarizing the incident, it expands the investigation around each entity and provides contextual evidence, observed signals, anomalies, confidence, and verdicts.

It correlates incident details, alert evidence, entity data, sign-in telemetry, audit context, endpoint activity, network activity, file/hash information, Microsoft Defender Threat Intelligence results, and Sentinel threat intelligence context when available.

Inputs

Entity Guard Investigator Agent requires an incident identifier and a lookback period. The identifier can refer to a Microsoft Defender XDR incident or a Microsoft Sentinel incident in the configured workspace.

Tasks

• The agent investigates the incident in Microsoft Defender XDR and Microsoft Sentinel, extracts relevant entities, normalizes and deduplicates them, and enriches each entity by type.
• For users, it analyzes identity context, risky user information, sign-in behavior, login failures, regions, IP usage, Conditional Access context when available, audit signals, and possible login anomalies.
• For devices and hosts, it analyzes endpoint telemetry, observed users, logon activity, process/file context, network activity, and Defender XDR signals.
• For IPs, it classifies private, loopback, link-local, APIPA, mapped IPv4, gateway-like, and public addresses. Public indicators are enriched with Microsoft Defender Threat Intelligence and Sentinel threat intelligence when available.
• For URLs, domains, hashes, and files, it uses threat intelligence, Defender XDR telemetry, and Sentinel data when available to provide reputation, DNS, WHOIS, sightings, and related context.

Outputs

The agent generates a structured entity intelligence report with incident summary, source coverage, entities investigated, and per-entity findings with observed signals, insights, evidence, anomalies, confidence, and verdict.

Key capabilities

- Investigates incidents from Microsoft Defender XDR and Microsoft Sentinel

- Extracts, normalizes, deduplicates, and enriches discovered entities

- Provides insights for users, devices, IPs, URLs, domains, hashes, and files

- Analyzes sign-in behavior, login failures, regions, IP usage, and possible anomalies

- Enriches devices with endpoint, logon, process, file, and network context

- Classifies IPs and enriches public indicators with threat intelligence

- Filters administrative metadata such as owner, analyst, comments, and portal links

Required products and permissions

Entity Guard Investigator Agent requires Microsoft Security Copilot and access to relevant Microsoft security data sources, including Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, and Microsoft Defender Threat Intelligence when available.

Users running the agent need permissions to read incidents, alerts, entity evidence, advanced hunting data, Sentinel workspace data, Entra identity/sign-in context, audit context, and threat intelligence results.

Security Copilot Units consumption

Estimated SCU consumption per execution:

• Small scope: about 1.2 to 2.0 SCUs for up to 5 entities, limited telemetry, and low indicator volume.
• Medium scope: about 2.1 to 4.5 SCUs for 6 to 15 entities, multiple users or devices, and moderate identity, endpoint, Sentinel, and threat intelligence enrichment.
• Large scope: about 4.6 to 8.0+ SCUs for more than 15 entities, multiple affected users or hosts, high telemetry volume, many indicators, and deeper correlation.

Actual SCU consumption may vary depending on tenant telemetry volume, data availability, incident complexity, enabled plugins, and entities requiring enrichment.

___

Changelog

Version 2.3.3

Added dual-source investigation across Defender XDR and Sentinel, Sentinel workspace support, deterministic sign-in analysis, Sentinel threat intelligence lookup, improved entity normalization, metadata filtering, IP classification, endpoint enrichment, and threat intelligence usage. Removed recommended actions to focus on entity intelligence.

Version 2.0.0

Production baseline release with entity investigation for Defender XDR incidents.

Version 1.2.0

Improved entity extraction, enrichment logic, report formatting, and threat intelligence context.

Version 1.0.0

Initial release.