Oct 12 2021 06:48 PM - edited Oct 12 2021 06:51 PM
Has anyone here done any work on the idea of a playbook to perform triage on Sentinel incidents?
eg:
If the incident contains a username entity, run these kql queries and create tags depending on the results.
The tags would represent specific findings eg:
username has been seen in 5 distinct alerts in the past 7 days, so tag name = "5D-User"
IP has been seen in 3 distinct alerts in the past 7 days, so tag name = "3D-IP"
username is sensitive, so tag name = "sensitive-user"
Do you see where I'm going here?
I want to use tags to create a library of common tags which will accelerate triage by identifying interesting indicators.
(I've already created such a playbook but I'm looking for more ideas to add to it)
Even if you haven't done such a playbook please share your ideas for interesting indicators that would help triage an incident.
Thank you!
Oct 12 2021 11:23 PM
Oct 13 2021 05:52 AM