Blog Post

Microsoft Sentinel Blog
1 MIN READ

What's new: Similar incidents in Microsoft Sentinel

Ely_Abramovitch's avatar
Ely_Abramovitch
Former Employee
May 15, 2022

When triaging or investigating an incident, the context of the entirety of incidents in your SOC can be extremely useful. Other incidents involving the same entities for example can represent useful context that will allow you to reach the right decision faster. Now, in public preview, we are happy to announce a new tab in the incident page that lists other incidents that are similar to the incident you are investigating. Some common use cases for using similar incidents are:

 

  • Finding other incidents that might be part of a larger attack story.
  • Using a similar incident as reference for incident handling. The way the previous incident was handled can act as a guide for handling the current one.
  • Finding relevant people in your SOC that have handled similar incidents for guidance or consultation.

 

Similar incidents are calculated based on an algorithm we developed. The algorithm factors in shared entities, shared rule and shared alert details and ranks the results by similarity. Only the 20 most similar incidents from the last 14 days are presented as to not overload analysts, though future improvements will allow configuration of those figures.

 

 

 

This feature is part of our ongoing efforts to provide analysts with the most context possible when investigating an incident to allow for a quick decision making and faster time to resolve. Any suggestion for other improvements to this feature or requests for features that are missing are always appreciated!

 

To read more:

Updated May 15, 2022
Version 1.0
siem
soar
what's new

2 Comments

Sort By
  • Vitor's avatar
    Vitor
    Copper Contributor
    May 20, 2022

    Talking about what's new, I noticed a very unpleasant surprise this morning, when working with Sentinel.

    Sentinel used to have a very good and easy way to navigate the interface, where you could investigate an incident (View Full Details > Alert ID or events, etc.), and you wouldn't loose previous information and the previous screens, as you could scroll to the sides. This was a huge navigational help, as I did not need to refresh pages, exit my investigation, and I could easily compare existent tickets just by scrolling to the left.

    For some reason this functionality vanished today. Life is a lot harder now that I don't have all the necessary data loaded in the same screen. Not sure why Microsoft arbitrarily chooses to make our lives a little harder.

    Is there a way this could roll back to how it was yesterday?
    On the same note, in the AAD, when checking sign in logs for users, clicking on a log would bring the related details in the bottom of the screen. This was very good, because I could still see the other logs above. Later, this changed to load the info to to the right of the screen, being on the way of a good chunk of the logs, so we cannot easily compare the current expanded information with the other log lines. Could this be rolled back also?

    Thanks,

    Vitor

  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor
    May 15, 2022

    This is very valuable and useful feature.

    Most of the time people in SOC only focus on solving current issue (which is good) but this way would give them inside not only resolve and understand the issue better but think about preventing them. Another benefit is maybe there are incidents which have been missed and this feature will raise them.