Blog Post

Microsoft Sentinel Blog
2 MIN READ

What’s New: Improved Incident Closing Experience is now Available!

Cristhofer Munoz's avatar
Cristhofer Munoz
Icon for Microsoft rankMicrosoft
Apr 03, 2020

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to allow you to easily digest the new content.

 

While the primary function of a SOC is providing situational awareness through the detection, containment, and management of security threats; this is coupled with the responsibility to track metrics to measure performance and to make changes to increase SOC efficiency.

 

From our Microsoft CDOC, we have learned that the metrics you choose to measure has a significant effect on the behaviors and outcomes of security operations. Focusing on the right measurements will help drive continuous improvement in the right areas that meaningfully reduce risk.

 

Today, we are happy to release the improved incident closing experience!

 

This feature is meant to help customers track more detailed information on why incidents are closed. Being able to measure these metrics can allow you to enforce alert quality across your SOC, tune out false positives, and adjust processes to improve prioritization and focus.

 

Today, incident’s status can be either New, In Progress or Close. When changing a status to 'Close' you have an option of specifying whether the incident was a False Positive or a True Positive.

 

In order to collect more information on the incident closing, we made this a mandatory field and provided a set of closing reasons that are based on researchers and customer references:

 

  • True Positive, suspicious activity
  • Benign Positive, suspicious but expected
  • False Positive, incorrect alert logic
  • False Positive, inaccurate data
  • Undetermined

 

 

We hope this feature will help customers better tune their rules and measure their SOC’s performance and will help us get more detailed information on our own detection's.

 

Get started today!

 

We encourage you to use the improved incident closing experience in your environment.

Note – The official documentation will be available in 1-2 weeks.

 

Try it out, and let us know what you think!

Updated Jun 24, 2020
Version 4.0
incident management
what's new
Cristhofer Munoz's avatar
Icon for Microsoft rankMicrosoft
Joined October 17, 2017
View Profile
Microsoft Sentinel Blog

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Sentinel by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

  • shahrukhreza's avatar
    shahrukhreza
    Copper Contributor
    Jul 17, 2020

    Hi Cristhofer,

     

    Can you help me to figure out what is the difference between below two:

    • False Positive, incorrect alert logic
    • False Positive, inaccurate data

    Also If we can more details about all the set of closing reasons .

     

    Thank you

  • Deleted's avatar
    Deleted
    Apr 23, 2020

    "a set of closing reasons"

    could you give more explanation how each choice affects the Sentinel engine behavior or is it only a feedback about the incident rules quality?

    Which reason has the meaning "that's totally OK, there's a support ticket for this action"? I guess "suspicious but expected" should be OK, but I would like to be sure 😉

  • -Jonathan-'s avatar
    -Jonathan-
    Copper Contributor
    Apr 09, 2020

    Is there any documentation explaining the difference between the below

     

     

    • False Positive, incorrect alert logic
    • False Positive, inaccurate data