Blog Post

Microsoft Sentinel Blog
1 MIN READ

What’s new: Incident timeline

Ely_Abramovitch's avatar
Ely_Abramovitch
Icon for Microsoft rankMicrosoft
Apr 13, 2021

Building a timeline of a cyber security incident is one of the most critical parts of affective incident investigation and response. It is essential in order to understand the path of the attack, its scope and to determine appropriate response measures.

 

Now in public preview, we are redesigning the Azure Sentinel full incident page to display the alerts and bookmarks that are part of the incident in a chronological order. As more alerts are added to the incident, and as more bookmarks are added by analysts, the timeline will update to reflect the information known on the incidents.

 

 

 

For each alert and bookmark, a side panel will be displayed to show details such as the entities involved, the status, the MITRE tactics used, custom details defined and many other details. Having these details available without further navigation can help with incident trigate and can reduce the overall investigation time.

 

              

 

 

 

We plan to extend this offering by adding additional elements to the timeline such as anomalies or activities and including elements from the incident response world such as analyst or automation actions. We will appreciate your feedback as to what will help with you procceses.

 

For further reading:

 

Updated Nov 03, 2021
Version 2.0
investigation
microsoft sentinel
Ely_Abramovitch's avatar
Icon for Microsoft rankMicrosoft
Joined April 16, 2020
View Profile
Microsoft Sentinel Blog

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Sentinel by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

1 Comment

Sort By
  • TokeSR's avatar
    TokeSR
    Copper Contributor
    Jun 04, 2021

    I think this Timeline function is a really good addition to the ticketing system in Sentinel. This is something I wanted to see in other ticketing systems in the past but it is rarely there.

     

    However, there is a behavior that is odd to me and I think it is not completely logical. When I add a new bookmark to an incident then it is placed onto the Timeline at the time of the Bookmark creation.

    So lets say there is an event happening at 1PM. Then an incident is created independently at 2PM. As I start to investigate the incident, I find the the event from 1PM and I realize it is related to the incident, so I bookmark it (at 3 PM) and then I attach the bookmark to the incident (little bit later). In this case the Bookmark on the timeline is going to be shown as an event after the incident creation (3PM vs 2PM). On the other hand, the event I bookmarked actually happened at 1PM, so earlier than the incident was created.

     

    From an IR point of view, seeing the time of the event rather than the time of the bookmark creation seems more logical.

     

    What do you think of this? Is it possible to change these times, or to use another time information from the event, since the original event time is also there in the bookmark event (I guess this depends on the query)?