Forum Discussion

JBWfH2365's avatar
JBWfH2365
Copper Contributor
Feb 28, 2022

Microsoft Sentinel Potentially malicious events and Incidents

Hi, I'm relatively new to MS Sentinel and have investigated some incidents but found the Potentially malicious events on the Overview page. There were a lot of events on this map but no incidents rep...
monitoring
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Feb 28, 2022

JBWfH2365 

 

#1

https://docs.microsoft.com/en-us/azure/sentinel/get-visibility#get-visualization

Potential malicious events: When traffic is detected from sources that are known to be malicious, Microsoft Sentinel alerts you on the map. If you see orange, it is inbound traffic: someone is trying to access your organization from a known malicious IP address. If you see Outbound (red) activity, it means that data from your network is being streamed out of your organization to a known malicious IP address.

 

The map is described above, but its only good if you are looking at it in the UI.  When you click on the map (if you have data) you can see the query that is used. 

Where as an Incident is based on a Analytic Rule that will initiate when the trigger that you define is encountered (maybe based on the map query?).  If you create an Incident rule, it may only be needed for Inbound maliciousIP or a use case you are interested in - as it is the query is probably best for a visualisation rather than an Incident, which would typically require more tuning in the KQL to reduce the noise.

 

#2 your data is used, so maliciousIP is compared to your IP addresses seen in the (up to 6) data sources used.