%3CLINGO-SUB%20id%3D%22lingo-sub-1601520%22%20slang%3D%22en-US%22%3EMicrosoft%20Threat%20Protection%20now%20uses%20more%20descriptive%20incident%20names%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601520%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20new%20incident%20naming%20feature%20in%20Microsoft%20Threat%20Protection%20now%20lets%20you%20understand%20an%20incident's%20scope%20at%20a%20glance!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20are%20looking%20at%20the%20incident%20queue%20and%20need%20to%20determine%20which%20incident%20you%20should%20look%20at%20next%2C%20hints%20about%20the%20content%20of%20the%20incident%20play%20an%20important%20role%20in%20making%20this%20choice.%20Giving%20incidents%20automatic%20names%20is%20complex%20because%20it%20encompasses%20a%20variety%20of%20different%20suspicious%20activities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EOur%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bresearchers%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ehave%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Edeveloped%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Ba%20state-of-the-art%20algorithm%20t%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehat%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bautomatically%20describe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bincident%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bwith%20comprehensive%20name%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bleveraging%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ethe%20MITRE%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EATT%26amp%3BCK%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%C2%AE%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ecategories%20we%20have%20for%20each%20alert%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%20Instead%20of%20having%20numerical%20incident%20names%20like%20%3CEM%3EIncident%201234%3C%2FEM%3E%2C%20you%20now%20see%20incident%20names%20like%20%3CEM%3EMulti-stage%20incident%20involving%20Discovery%20%26amp%3B%20Collection%20reported%20by%20multiple%20sources.%3C%2FEM%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorIdan_Pelleg_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorIdan_Pelleg_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image%20(1).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214144iF92C71030CF37502%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image%20(1).png%22%20alt%3D%22image%20(1).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%E2%80%83%3C%2FP%3E%0A%3CP%3ENow%2C%20analysts%20can%20quickly%20understand%20the%20scope%20of%20the%20incident%20right%20from%20the%20Microsoft%20Threat%20Protection%20incident%20queue.%20Having%20the%20incidents%20name%20and%20supporting%20data%20(like%20the%20number%20of%20endpoints%20affected%2C%20users%20affected%2C%20detection%20sources%2C%20categories%2C%20and%20more)%20in%20one%20view%2C%20analysts%20can%20make%20faster%20decisions%20based%20on%20the%20nature%20of%20the%20incident.%20This%20improvement%20saves%20analysts%20time%20and%20effort%20better%20spent%20investigating%20and%20remediating%20high-priority%20threats.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20some%20examples%20of%20incident%20names%20developed%20with%20the%20new%20algorithm%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E'Dirtelti'%20backdoor%20was%20prevented%20on%20multiple%20endpoints%3C%2FLI%3E%0A%3CLI%3EOffice%20process%20dropped%20and%20executed%20a%20PE%20file%20on%20multiple%20endpoints%3C%2FLI%3E%0A%3CLI%3EMulti-stage%20incident%20involving%20Initial%20access%20%26amp%3B%20Execution%20on%20one%20endpoint%20reported%20by%20multiple%20sources%3C%2FLI%3E%0A%3CLI%3ERansomware%20activity%3C%2FLI%3E%0A%3CLI%3EMulti-stage%20incident%20involving%20Discovery%20%26amp%3B%20Command%20and%20control%20on%20one%20endpoint%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ETo%20learn%20more%20about%20incident%20in%20Microsoft%20Threat%20Protection%20go%20to%20the%20following%20links%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20class%3D%22inner-wrap%22%3E%3CA%20class%3D%22%22%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F07%2F09%2Finside-microsoft-threat-protection-correlating-and-consolidating-attacks-into-incidents%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInside%20Microsoft%20Threat%20Protection%3A%20Correlating%20and%20consolidating%20attacks%20into%20incidents%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22inner-wrap%22%3E%3CA%20class%3D%22%22%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F06%2F18%2Finside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInside%20Microsoft%20Threat%20Protection%3A%20Mapping%20attack%20chains%20from%20cloud%20to%20endpoint%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22inner-wrap%22%3E%3CA%20class%3D%22%22%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F06%2F10%2Fthe-science-behind-microsoft-threat-protection-attack-modeling-for-finding-and-stopping-evasive-ransomware%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInside%20Microsoft%20Threat%20Protection%3A%20Attack%20modeling%20for%20finding%20and%20stopping%20lateral%20movement%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20class%3D%22%22%3E%3CSPAN%20class%3D%22inner-wrap%22%3E%3CA%20class%3D%22%22%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F07%2F29%2Finside-microsoft-threat-protection-solving-cross-domain-security-incidents-through-the-power-of-correlation-analytics%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EInside%20Microsoft%20Threat%20Protection%3A%20Solving%20cross-domain%20security%20incidents%20through%20the%20power%20of%20correlation%20analytics%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1601520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EOur%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bresearchers%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ehave%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Edeveloped%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Ba%20state-of-the-art%20algorithm%20t%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehat%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bautomatically%20describe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bincident%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bwith%20comprehensive%20name%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bleveraging%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ethe%20MITRE%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EATT%26amp%3BCK%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%C2%AE%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ecategories%20we%20have%20for%20each%20alert%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1601520%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eincident%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1613410%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Threat%20Protection%20now%20uses%20more%20descriptive%20incident%20names%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1613410%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F747968%22%20target%3D%22_blank%22%3E%40Idan_Pelleg%3C%2FA%3E%26nbsp%3BThis%20is%20very%20cool%20and%20a%20helpful%20feature.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

The new incident naming feature in Microsoft Threat Protection now lets you understand an incident's scope at a glance!

 

When you are looking at the incident queue and need to determine which incident you should look at next, hints about the content of the incident play an important role in making this choice. Giving incidents automatic names is complex because it encompasses a variety of different suspicious activities.

 

Our researchers have developed a state-of-the-art algorithm that automatically describes incidents with comprehensive names, leveraging the MITRE ATT&CK® categories we have for each alert. Instead of having numerical incident names like Incident 1234, you now see incident names like Multi-stage incident involving Discovery & Collection reported by multiple sources.

 
 

image (1).png

Now, analysts can quickly understand the scope of the incident right from the Microsoft Threat Protection incident queue. Having the incidents name and supporting data (like the number of endpoints affected, users affected, detection sources, categories, and more) in one view, analysts can make faster decisions based on the nature of the incident. This improvement saves analysts time and effort better spent investigating and remediating high-priority threats.

 

Here are some examples of incident names developed with the new algorithm:

 

  • 'Dirtelti' backdoor was prevented on multiple endpoints
  • Office process dropped and executed a PE file on multiple endpoints
  • Multi-stage incident involving Initial access & Execution on one endpoint reported by multiple sources
  • Ransomware activity
  • Multi-stage incident involving Discovery & Command and control on one endpoint

To learn more about incident in Microsoft Threat Protection go to the following links:

 

1 Comment
Occasional Contributor

Thank you @Idan_Pelleg This is very cool and a helpful feature.