Analysts need to understand the full scope of the attack as fast as possible to respond effectively. While triaging, investigating, and responding to a security incident, analysts use many pieces of information, actions, and tools. For the process to be seamless and effective, as many of those should be available within the incident to allow quick and optimal triage, without having to pivot to another blade or to another product (for example, to find the geo-location of an IP address or Azure Active Directory (AAD) information, edit bookmark or add an entity to threat intelligence repository).
Today we are happy to announce the public preview of the new incident experience in Sentinel. The new incident page design, along with many new features both for investigation & response and incident management, offers the analyst the information and tools necessary to understand the incident and the scope of breach while making navigation easy and context switching less frequent. New features include, among others: top insights, a new activity log for incident audits and a Log Analytics query window to investigate logs.
The overview tab
The overview tab is the first to appear and includes triage and investigation tools such as similar incidents, incident timeline with alerts and bookmarks, incident details panel and a preview of the entities. Also included in the new overview are top insights on the right side of the page. Top insights are entity insights specifically chosen by Microsoft’s security experts to give a quick view of the most important information about the entity – is it part of threat intelligence or watchlists, IP’s remote connections, UEBA insights and more. Those insights can speed up triage and understand the nature of the incident and its entities better and faster. Deeper dive to more insights on each entity is provided in the entities tab.
The screenshot below shows the incident overview page, with the new top insight panel:
The new activity log includes the comments and audits of the incident, whether manual or automated, such as severity or status change, playbook triggered, alerts added and more. The log is auto-refreshed (even when scrolled or when a comment is being written), so that collaboration is made simple and new audits or comments by other analysts or automation are added – even when the analyst is scrolling the feed.
The screenshot below shows the activity log:
Standardizing and formalizing the list of tasks an analyst should follow when triaging, investigating or remediating an incident can help keep your SOC running smoothly, ensuring the same requirements apply to all analysts. Those tasks, whether pre-populated by automation rules and playbooks or manually added, are now embedded into the new incident page. Tasks can be followed by the analyst according to the different stages of the triage, investigation and remediation and marked as completed when done.
The screenshot below shows the incident tasks:
Log Analytics querying window
The Log Analytics panel now opens within the incident, providing the ability to query tables and dive to evidence, while still inside the incident and entities and incident details are visible. Triggering the logs panel is possible both from a dedicated button or when selecting specific evidence from the incident. Details about alerts and bookmarks are presented in the context of the timeline (just click on the element), and the links to specific tables and query results will open in a panel on the side. Bookmarks can also be added directly from this panel.
The screenshot below shows the logs panel:
Entities now have a lot of information in the context of the incident, including details on the specific entity (geo-location for IP addresses for example), the entity’s timeline where alerts related to the entity can be added to the incident, and entity insights. Those insights include the top insights from the overview tab and more specific insights that allow a deeper dive. Actions on the entities, such as triggering a playbook or add the entity to Threat Intelligence, are available both from the entities grid in a dedicated tab and the entities widget.
The screenshot below shows the entities info:
Detailed documentation for the new incident experience can be found here.
A walk-through of the investigation and case management capabilities can be found here.
For more context and a step-by-step demo please watch this video.