Filter displayed alerts on the investigation panel

Brass Contributor

Hello,

 

I have a scenario to trigger four alerts in my Sentinel instance. This scenario does not aims at detecting a real attack and does not necessarily make sense, but exists for testing purposes.

 

Scenario

Successfull RDP Brute force attack on a Windows Server 2012, followed by the execution of multiple process within a short time frame, then executing a program named "mimikatz". The logs are streamed from the server to Sentinel.

 

Triggered analytics rules

  1. Excessive logon failure
  2. Successfull brute force 
  3. Anomalous process frequency 
  4. Mimikatz detected

 

My alerts are all triggered, as shown on the picture below. Note that I filtered incidents on the last 24h. You may also notice that incidents were not triggered in the right date order, but this is an other issue I need to fix in my underlying KQL requests.

sentinel.png

 

Problem: if I click on the Successfull brute force incident, and go to the navigation pane, I see my entities, such as the computer name, etc... But if I click my computer entity and display related alerts, I got too many alerts, including alerts I triggered days ago, and closed alerts, as shown on the picture below (red is the incident I initially inspected, grey is the useless alerts I don't want to see, green is the related alerts I want to see.)

sentinel2.png

 

My questions: is there a way to display only alerts triggered the last X hours ? Another issue regarding this investigation panel is that closed alerts are displayed, and as an analyst, it would be usefull to choose whether to display them or not.

 

Thank you all!

2 Replies

@Molx32 : it is a feature we are looking into. No ETA yet.

Great! Thanks for your answer!