cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Incident Investigation question

Gary Bushey
Bronze Contributor

‎Feb 14 2020 12:14 PM

‎Feb 14 2020 12:14 PM

Incident Investigation question

Did the functionality of the Incident graphical investigation change? 

 

I have 4 alerts that share the same user and IPAddress entities.  Previously, when I did an investigation and clicked on Related alerts for the user I would see the new alerts and lines back to the related entities.  It did not do that today (see IncidentInvestigation1.jpg).

 

Also, when I click on one of the related incidents in the timeline, it did not highlight the link back to the IP address  (see IncidentInvestigation2.jpg) which is an entity of the Incident.

Preview file
104 KB
Preview file
75 KB
2,011 Views
0 Likes
6 Replies
Reply
6 Replies
Kara Cole

‎Feb 20 2020 11:36 AM

‎Feb 20 2020 11:36 AM

Re: Incident Investigation question

@Gary Bushey This might be due to the new Event Aggregation feature that was released into Public Preview today.  

This feature is meant to help you reduce the noise in your Azure Sentinel incidents queue.

Today, each alert generated from a scheduled Analytics rule creates a new Azure Sentinel incident.
Using the new ‘Incident Configuration’ tab in the Analytics rule wizard, you can configure how alerts generated by that Analytics rule are aggregated into incidents.

You can also decide to run scheduled alerts that do not generate an incident at all – but are only saved in the SecurityAlert table in your Azure Sentinel workspace.

0 Likes
Reply
Gary Bushey

‎Feb 20 2020 12:59 PM

‎Feb 20 2020 12:59 PM

Re: Incident Investigation question

@Kara Cole If that is the case, it is a HUGE step backward in functionality as far as I am concerned.   As it stands now I can see associated alerts for a user an example.  However, there is no longer any linking of those associated alerts back to any of the Incidents other than the one that I used to see the associated alerts.

 

So if the associated alerts also have the same IP address, I have no way of telling that using the Investigation feature now.  If I mouse over one of the associated alerts in the Timeline view, only that original incident is highlighted, none of the others will be.

 

This makes is much harder to see the associations in my view.

0 Likes
Reply
Gary Bushey

‎Feb 20 2020 01:00 PM

‎Feb 20 2020 01:00 PM

Re: Incident Investigation question

@Kara Cole Sorry, forgot to thank you for taking the time to answer this question in the first place.

0 Likes
Reply
razhe

‎Feb 24 2020 06:21 PM

‎Feb 24 2020 06:21 PM

Re: Incident Investigation question

@Gary Bushey 

Hi, 

 

Hmm, we actually didn't change anything in the functionality.
If you click on 'related entities' for each of the alerts you should see the relationships between the alerts and the matching entities.

Let me know if that addresses the issue.

Thanks,

Raz

0 Likes
Reply
Gary Bushey

‎Feb 25 2020 05:34 AM

‎Feb 25 2020 05:34 AM

Re: Incident Investigation question

@razhe Thank you for your reply but it didn't resolve the issue.  Let me see if I can explain it a bit better.

 

I have 4 alerts/incidents. Three of them ; New Account, Account Elevated, and Account Deleted all share the same Entities: IP = 192.168.154.159, Account = John Doe , and Host = ADServer.   The fourth one, Mass Download, has Host = HRServer and URL = www.microsoft.com, along with Account = John Doe and IP = 192.168.154.159

 

When performing an investigation on New Account, I see all three Entities.  Great!  Working correct.  I can then view Related Alerts on the Account, John Doe, and I see the other three alerts.  Still working.  If I then go to Mass Download, and view Related entities I only see the two entities that are not on the page yet.  OK, that seems fine.  HOWEVER, there no longer a line going from Mass Download to the existing Account and IP entities, like there used to be, so I have no way of knowing that those two entities are related to the Mass Download alert.  See the attached image. 

 

This makes the investigation not as useful as it used to be as this would lead me to believe there are only 2 entities associated to the Mass Download alert when in fact there are 4.

 

We can take this offline if it would be easier.

 
Preview file
65 KB
0 Likes
Reply
razhe

‎Feb 28 2020 01:25 PM

‎Feb 28 2020 01:25 PM

Re: Incident Investigation question

@Gary Bushey 

Thanks for explaining! this indeed requires further investigation on our side.
We might contact you offline if we need more details or are unable to recreate.

Thanks again for bringing this to our attention, I'll keep you updated on our findings.

0 Likes
Reply