As the investigation of a security incident unfolds, the scope of the incident might expand. An analysts investigate and incident, they might uncover additional steps in the attacker's kill chain thus uncovering the full attack story. Attaching those alerts to the incident being investigated is a critical requirement in documenting the investigation process and ensuring appropriate mitigation steps are taken. The end result will be richer incidents representing the full story of the attack which you can then report on, sync with external systems and accurately act on.
We are happy to announce, now in public preview, a new capability that will allow analysts to add or remove an alert from an incident as a part of their investigation experience. This feature can be used from the investigation graph UI or combined in a SOAR playbook to generate an automatic and configurable grouping of alerts to incidents.
In the investigation graph, clicking the “related alerts” button on an entity presents all the alerts this entity was involved in. These alerts might be part of this attack, or they might not – they are a hypothesis at that point. To represent this, they are presented with a dotted line.
After identifying an alert that is part of the incident, the analyst can now click “add alert to incident”. Clicking this will add the alert and any associated entity to the incident. The added alert will be presented with a solid line, and the alert will be added to the incident timeline. In the same way, alerts can be removed from incidents. After the alert was added to the incident, all other expanded alerts can be closed to keep a clean investigation workbench.
This new capability is also supported as part of the Sentinel LogicApp integration and allows you to include alert grouping and enrichment scenarios as part of your orchestration flows. New actions were added to the Sentinel LogicApp connector:
A common use for this action will be with the Azure Monitor connector to run queries against your log analytics workspace, querying the SecurityAlert table or the SecurtyIncident table. Two common scenarios can be:
An example playbook template titled "relate alert to incident by IP" was added to our playbook template gallery. You can use it as is or customize it to fit other scenarios and other alert types.
Read more about additional use cases, additional capabilities, and limitations in the documentation.
Thanks,
Ely
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.