What's new: Similar incidents in Microsoft Sentinel
Published May 15 2022 04:54 AM 4,756 Views

When triaging or investigating an incident, the context of the entirety of incidents in your SOC can be extremely useful. Other incidents involving the same entities for example can represent useful context that will allow you to reach the right decision faster. Now, in public preview, we are happy to announce a new tab in the incident page that lists other incidents that are similar to the incident you are investigating. Some common use cases for using similar incidents are:


  • Finding other incidents that might be part of a larger attack story.
  • Using a similar incident as reference for incident handling. The way the previous incident was handled can act as a guide for handling the current one.
  • Finding relevant people in your SOC that have handled similar incidents for guidance or consultation.


Similar incidents are calculated based on an algorithm we developed. The algorithm factors in shared entities, shared rule and shared alert details and ranks the results by similarity. Only the 20 most similar incidents from the last 14 days are presented as to not overload analysts, though future improvements will allow configuration of those figures.





This feature is part of our ongoing efforts to provide analysts with the most context possible when investigating an incident to allow for a quick decision making and faster time to resolve. Any suggestion for other improvements to this feature or requests for features that are missing are always appreciated!


To read more:

Version history
Last update:
‎May 15 2022 04:49 AM
Updated by: