Incident Investigation question

%3CLINGO-SUB%20id%3D%22lingo-sub-1174767%22%20slang%3D%22en-US%22%3EIncident%20Investigation%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1174767%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20the%20functionality%20of%20the%20Incident%20graphical%20investigation%20change%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%204%20alerts%20that%20share%20the%20same%20user%20and%20IPAddress%20entities.%26nbsp%3B%20Previously%2C%20when%20I%20did%20an%20investigation%20and%20clicked%20on%20Related%20alerts%20for%20the%20user%20I%20would%20see%20the%20new%20alerts%20and%20lines%20back%20to%20the%20related%20entities.%26nbsp%3B%20It%20did%20not%20do%20that%20today%20(see%20IncidentInvestigation1.jpg).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20when%20I%20click%20on%20one%20of%20the%20related%20incidents%20in%20the%20timeline%2C%20it%20did%20not%20highlight%20the%20link%20back%20to%20the%20IP%20address%26nbsp%3B%20(see%20IncidentInvestigation2.jpg)%20which%20is%20an%20entity%20of%20the%20Incident.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1185294%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Investigation%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1185294%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%20This%20might%20be%20due%20to%20the%20new%20Event%20Aggregation%20feature%20that%20was%20released%20into%20Public%20Preview%20today.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20'Calibri%20Light'%2Csans-serif%3B%20color%3A%20%23262626%3B%22%3EThis%20feature%20is%20meant%20to%20help%20you%20reduce%20the%20noise%20in%20your%20Azure%20Sentinel%20incidents%20queue.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20'Calibri%20Light'%2Csans-serif%3B%20color%3A%20%23262626%3B%22%3EToday%2C%20each%20alert%20generated%20from%20a%20scheduled%20Analytics%20rule%20creates%20a%20new%20Azure%20Sentinel%20incident.%3CBR%20%2F%3EUsing%20the%20new%20%E2%80%98Incident%20Configuration%E2%80%99%20tab%20in%20the%20Analytics%20rule%20wizard%2C%20you%20can%20configure%20how%20alerts%20generated%20by%20that%20Analytics%20rule%20are%20aggregated%20into%20incidents.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20'Calibri%20Light'%2Csans-serif%3B%20color%3A%20%23262626%3B%22%3EYou%20can%20also%20decide%20to%20run%20scheduled%20alerts%20that%20do%20not%20generate%20an%20incident%20at%20all%20%E2%80%93%20but%20are%20only%20saved%20in%20the%20SecurityAlert%20table%20in%20your%20Azure%20Sentinel%20workspace.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1185503%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Investigation%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1185503%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180860%22%20target%3D%22_blank%22%3E%40Kara%20Cole%3C%2FA%3E%26nbsp%3BIf%20that%20is%20the%20case%2C%20it%20is%20a%20HUGE%20step%20backward%20in%20functionality%20as%20far%20as%20I%20am%20concerned.%26nbsp%3B%20%26nbsp%3BAs%20it%20stands%20now%20I%20can%20see%20associated%20alerts%20for%20a%20user%20an%20example.%26nbsp%3B%20However%2C%20there%20is%20no%20longer%20any%20linking%20of%20those%20associated%20alerts%20back%20to%20any%20of%20the%20Incidents%20other%20than%20the%20one%20that%20I%20used%20to%20see%20the%20associated%20alerts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20the%20associated%20alerts%20also%20have%20the%20same%20IP%20address%2C%20I%20have%20no%20way%20of%20telling%20that%20using%20the%20Investigation%20feature%20now.%26nbsp%3B%20If%20I%20mouse%20over%20one%20of%20the%20associated%20alerts%20in%20the%20Timeline%20view%2C%20only%20that%20original%20incident%20is%20highlighted%2C%20none%20of%20the%20others%20will%20be.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20makes%20is%20much%20harder%20to%20see%20the%20associations%20in%20my%20view.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1185506%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Investigation%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1185506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180860%22%20target%3D%22_blank%22%3E%40Kara%20Cole%3C%2FA%3E%26nbsp%3BSorry%2C%20forgot%20to%20thank%20you%20for%20taking%20the%20time%20to%20answer%20this%20question%20in%20the%20first%20place.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1192323%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Investigation%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1192323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EHi%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHmm%2C%20we%20actually%20didn't%20change%20anything%20in%20the%20functionality.%3CBR%20%2F%3EIf%20you%20click%20on%20'related%20entities'%20for%20each%20of%20the%20alerts%20you%20should%20see%20the%20relationships%20between%20the%20alerts%20and%20the%20matching%20entities.%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20know%20if%20that%20addresses%20the%20issue.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3C%2FP%3E%0A%3CP%3ERaz%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1193149%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Investigation%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1193149%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F313972%22%20target%3D%22_blank%22%3E%40razhe%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20reply%20but%20it%20didn't%20resolve%20the%20issue.%26nbsp%3B%20Let%20me%20see%20if%20I%20can%20explain%20it%20a%20bit%20better.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%204%20alerts%2Fincidents.%20Three%20of%20them%20%3B%20%3CSTRONG%3ENew%20Account%3C%2FSTRONG%3E%2C%20%3CSTRONG%3EAccount%20Elevated%3C%2FSTRONG%3E%2C%20and%20%3CSTRONG%3EAccount%20Deleted%3C%2FSTRONG%3E%20all%20share%20the%20same%20Entities%3A%20IP%20%3D%20192.168.154.159%2C%20Account%20%3D%20John%20Doe%20%2C%20and%20Host%20%3D%20ADServer.%26nbsp%3B%20%26nbsp%3BThe%20fourth%20one%2C%20%3CSTRONG%3EMass%20Download%3C%2FSTRONG%3E%2C%20has%20Host%20%3D%20HRServer%20and%20URL%20%3D%20%3CA%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2C%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.microsoft.com%2C%3C%2FA%3E%26nbsp%3Balong%20with%20Account%20%3D%20John%20Doe%20and%20IP%20%3D%20192.168.154.159%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20performing%20an%20investigation%20on%20%3CSTRONG%3ENew%20Account%3C%2FSTRONG%3E%2C%20I%20see%20all%20three%20Entities.%26nbsp%3B%20Great!%26nbsp%3B%20Working%20correct.%26nbsp%3B%20I%20can%20then%20view%20Related%20Alerts%20on%20the%20Account%2C%20John%20Doe%2C%20and%20I%20see%20the%20other%20three%20alerts.%26nbsp%3B%20Still%20working.%26nbsp%3B%20If%20I%20then%20go%20to%20%3CSTRONG%3EMass%20Download%2C%20%3C%2FSTRONG%3Eand%20view%20Related%20entities%20I%20only%20see%20the%20two%20entities%20that%20are%20not%20on%20the%20page%20yet.%26nbsp%3B%20OK%2C%20that%20seems%20fine.%26nbsp%3B%20HOWEVER%2C%20there%20no%20longer%20a%20line%20going%20from%20%3CSTRONG%3EMass%20Download%3C%2FSTRONG%3E%20to%20the%20existing%20Account%20and%20IP%20entities%2C%20like%20there%20used%20to%20be%2C%20so%20I%20have%20no%20way%20of%20knowing%20that%20those%20two%20entities%20are%20related%20to%20the%20%3CSTRONG%3EMass%20Download%3C%2FSTRONG%3E%20alert.%26nbsp%3B%20See%20the%20attached%20image.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20makes%20the%20investigation%20not%20as%20useful%20as%20it%20used%20to%20be%20as%20this%20would%20lead%20me%20to%20believe%20there%20are%20only%202%20entities%20associated%20to%20the%20%3CSTRONG%3EMass%20Download%3C%2FSTRONG%3E%20alert%20when%20in%20fact%20there%20are%204.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20can%20take%20this%20offline%20if%20it%20would%20be%20easier.%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1201661%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Investigation%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1201661%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20explaining!%20this%20indeed%20requires%20further%20investigation%20on%20our%20side.%3CBR%20%2F%3EWe%20might%20contact%20you%20offline%20if%20we%20need%20more%20details%20or%20are%20unable%20to%20recreate.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20again%20for%20bringing%20this%20to%20our%20attention%2C%20I'll%20keep%20you%20updated%20on%20our%20findings.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Super Contributor

Did the functionality of the Incident graphical investigation change? 

 

I have 4 alerts that share the same user and IPAddress entities.  Previously, when I did an investigation and clicked on Related alerts for the user I would see the new alerts and lines back to the related entities.  It did not do that today (see IncidentInvestigation1.jpg).

 

Also, when I click on one of the related incidents in the timeline, it did not highlight the link back to the IP address  (see IncidentInvestigation2.jpg) which is an entity of the Incident.

6 Replies
Highlighted

@Gary Bushey This might be due to the new Event Aggregation feature that was released into Public Preview today.  

This feature is meant to help you reduce the noise in your Azure Sentinel incidents queue.

Today, each alert generated from a scheduled Analytics rule creates a new Azure Sentinel incident.
Using the new ‘Incident Configuration’ tab in the Analytics rule wizard, you can configure how alerts generated by that Analytics rule are aggregated into incidents.

You can also decide to run scheduled alerts that do not generate an incident at all – but are only saved in the SecurityAlert table in your Azure Sentinel workspace.

Highlighted

@Kara Cole If that is the case, it is a HUGE step backward in functionality as far as I am concerned.   As it stands now I can see associated alerts for a user an example.  However, there is no longer any linking of those associated alerts back to any of the Incidents other than the one that I used to see the associated alerts.

 

So if the associated alerts also have the same IP address, I have no way of telling that using the Investigation feature now.  If I mouse over one of the associated alerts in the Timeline view, only that original incident is highlighted, none of the others will be.

 

This makes is much harder to see the associations in my view.

Highlighted

@Kara Cole Sorry, forgot to thank you for taking the time to answer this question in the first place.

Highlighted

@Gary Bushey 

Hi, 

 

Hmm, we actually didn't change anything in the functionality.
If you click on 'related entities' for each of the alerts you should see the relationships between the alerts and the matching entities.

Let me know if that addresses the issue.

Thanks,

Raz

Highlighted

@razhe Thank you for your reply but it didn't resolve the issue.  Let me see if I can explain it a bit better.

 

I have 4 alerts/incidents. Three of them ; New Account, Account Elevated, and Account Deleted all share the same Entities: IP = 192.168.154.159, Account = John Doe , and Host = ADServer.   The fourth one, Mass Download, has Host = HRServer and URL = www.microsoft.com, along with Account = John Doe and IP = 192.168.154.159

 

When performing an investigation on New Account, I see all three Entities.  Great!  Working correct.  I can then view Related Alerts on the Account, John Doe, and I see the other three alerts.  Still working.  If I then go to Mass Download, and view Related entities I only see the two entities that are not on the page yet.  OK, that seems fine.  HOWEVER, there no longer a line going from Mass Download to the existing Account and IP entities, like there used to be, so I have no way of knowing that those two entities are related to the Mass Download alert.  See the attached image. 

 

This makes the investigation not as useful as it used to be as this would lead me to believe there are only 2 entities associated to the Mass Download alert when in fact there are 4.

 

We can take this offline if it would be easier.

 
Highlighted

@Gary Bushey 

Thanks for explaining! this indeed requires further investigation on our side.
We might contact you offline if we need more details or are unable to recreate.

Thanks again for bringing this to our attention, I'll keep you updated on our findings.