cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Understanding the use of the Evidence Role field in Alert Tuning

JoshuaN1
Copper Contributor

‎Nov 13 2023 03:22 AM

‎Nov 13 2023 03:22 AM

Understanding the use of the Evidence Role field in Alert Tuning

Hi there,

 

I am looking for some help with understanding the use of the Evidence Role field when tuning an alert. I currently receive a false positive alert that I am trying to automatically set to resolved. There are a few conditions that need to be met to qualify as this alert and one of those is to have a certain ip involved. 

 

When setting up the involved IP, I would use this configuration for example (all specifics redacted):

JoshuaN1_0-1699874218659.png

along with a collection of other details such as hostname etc.. I understand the functionality of all of it other than the Evidence role field and the subsequent options it has, being In or Not in, and the final dropdown having these options:

JoshuaN1_1-1699874296455.png

I have been unable to find suitable advice online to do with alert tuning outside of the basic functionality and how to setup - so if there is a resource somewhere that I have missed, a pointer in that direction would also be greatly appreciated. 

 

I am looking for an explanation as to what this field does / means, and where/if I need it to achieve what I want to do. 

 

Thank you for the help :) 

 

955 Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by JoshuaN1 (Copper Contributor)
LeonPavesic

‎Nov 13 2023 04:11 AM

‎Nov 13 2023 04:11 AM

Solution

Re: Understanding the use of the Evidence Role field in Alert Tuning

Hi @JoshuaN1,

The Evidence Role field in alert tuning is used to specify the role of the evidence in the alert. The options for this field are In and Not In. If you select In, the alert will trigger if the evidence is present. If you select Not In, the alert will trigger if the evidence is not present.

For example, if you want to create an alert that triggers when a certain IP address is involved, you would use the IP filter and set the Evidence Role to In. This means that the alert will trigger if the IP address is present in the evidence.

Investigate alerts in Microsoft 365 Defender | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

1 Like
Reply
JoshuaN1

‎Nov 13 2023 04:15 AM

‎Nov 13 2023 04:15 AM

Re: Understanding the use of the Evidence Role field in Alert Tuning

That is great stuff. Thank you for the help! Answers my question perfectly.

Are you able to give me any information on the effect of the different options Contextual, Impacted, Related?
1 Like
Reply
LeonPavesic

‎Nov 13 2023 04:20 AM

‎Nov 13 2023 04:20 AM

Re: Understanding the use of the Evidence Role field in Alert Tuning

Hi @JoshuaN1,

thanks for the update.

Regarding your question, the Contextual option in the Evidence Role field of Alert Tuning is used to identify the context of the alert. This option is used to identify the context of the alert.

The Impacted option is used to identify the entities that are impacted by the alert.

Finally, the Related option is used to identify the entities that are related to the alert. These options are used to help analysts better understand the scope of the alert and to help them determine the appropriate course of action.

For more information you can check out the following links:
Boost your detection and response workflows with alert tuning (microsoft.com)
Investigate alerts in Microsoft 365 Defender | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

1 Like
Reply
JoshuaN1

‎Nov 13 2023 04:23 AM

‎Nov 13 2023 04:23 AM

Re: Understanding the use of the Evidence Role field in Alert Tuning

Ahh cool okay, thank you for the help :)
1 Like
Reply
LeonPavesic

‎Nov 13 2023 04:36 AM

‎Nov 13 2023 04:36 AM

Re: Understanding the use of the Evidence Role field in Alert Tuning

Hi @JoshuaN1,

you're welcome.

Kindest regards,

Leon Pavesic
(LinkedIn)

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by JoshuaN1 (Copper Contributor)
LeonPavesic

‎Nov 13 2023 04:11 AM

‎Nov 13 2023 04:11 AM

Solution

Re: Understanding the use of the Evidence Role field in Alert Tuning

Hi @JoshuaN1,

The Evidence Role field in alert tuning is used to specify the role of the evidence in the alert. The options for this field are In and Not In. If you select In, the alert will trigger if the evidence is present. If you select Not In, the alert will trigger if the evidence is not present.

For example, if you want to create an alert that triggers when a certain IP address is involved, you would use the IP filter and set the Evidence Role to In. This means that the alert will trigger if the IP address is present in the evidence.

Investigate alerts in Microsoft 365 Defender | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

View solution in original post

1 Like
Reply