What’s new: incident expansion – relate alerts to incidents
Published May 25 2022 05:33 PM 3,647 Views
Microsoft

As the investigation of a security incident unfolds, the scope of the incident might expand. An analysts investigate and incident, they might uncover additional steps in the attacker's kill chain thus uncovering the full attack story. Attaching those alerts to the incident being investigated is a critical requirement in documenting the investigation process and ensuring appropriate mitigation steps are taken. The end result will be richer incidents representing the full story of the attack which you can then report on, sync with external systems and accurately act on.  

We are happy to announce, now in public preview, a new capability that will allow analysts to add or remove an alert from an incident as a part of their investigation experience. This feature can be used from the investigation graph UI or combined in a SOAR playbook to generate an automatic and configurable grouping of alerts to incidents.

 

Adding alerts to incidents in the investigation graph


In the investigation graph, clicking the “related alerts” button on an entity presents all the alerts this entity was involved in. These alerts might be part of this attack, or they might not – they are a hypothesis at that point. To represent this, they are presented with a dotted line.

 

Ely_Abramovitch_3-1653401421909.png

 

  

After identifying an alert that is part of the incident, the analyst can now click “add alert to incident”. Clicking this will add the alert and any associated entity to the incident. The added alert will be presented with a solid line, and the alert will be added to the incident timeline. In the same way, alerts can be removed from incidents. After the alert was added to the incident, all other expanded alerts can be closed to keep a clean investigation workbench.

 

Ely_Abramovitch_4-1653401421913.png

 

Adding alerts to incidents as part of SOAR playbooks 

 

This new capability is also supported as part of the Sentinel LogicApp integration and allows you to include alert grouping and enrichment scenarios as part of your orchestration flows. New actions were added to the Sentinel LogicApp connector: 

Ely_Abramovitch_5-1653401421916.png

  

A common use for this action will be with the Azure Monitor connector to run queries against your log analytics workspace, querying the SecurityAlert table or the SecurtyIncident table. Two common scenarios can be: 

  • Using the alert trigger and running a query to find an incident with similar properties or entities to the triggered alert and adding the alert to that incident.  
  • Using the incident trigger and running a query against the security alerts table to find other alerts that might be related to this incident. 

An example playbook template titled "relate alert to incident by IP" was added to our playbook template gallery. You can use it as is or customize it to fit other scenarios and other alert types. 

 

Read more about additional use cases, additional capabilities, and limitations in the documentation. 

 

Thanks, 

Ely 

Co-Authors
Version history
Last update:
‎May 25 2022 09:24 AM
Updated by: