cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Sentinel Potentially malicious events and Incidents

JBWfH2365
Copper Contributor

‎Feb 28 2022 10:39 AM

‎Feb 28 2022 10:39 AM

Microsoft Sentinel Potentially malicious events and Incidents

Hi, I'm relatively new to MS Sentinel and have investigated some incidents but found the Potentially malicious events on the Overview page. There were a lot of events on this map but no incidents reported. My questions are:

 

1. What is the difference between the Potentially malicious events and Incidents in Sentinel?

 

2. Do the events in the Potentially malicious events map relate to activity that affects your environment or does it apply more to the activity that the MS TI team is seeing in the wild?

 

Thank you!

Jennifer

Labels:
3,089 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Feb 28 2022 12:28 PM

‎Feb 28 2022 12:28 PM

Re: Microsoft Sentinel Potentially malicious events and Incidents

@JBWfH2365 

 

#1

https://docs.microsoft.com/en-us/azure/sentinel/get-visibility#get-visualization

Potential malicious events: When traffic is detected from sources that are known to be malicious, Microsoft Sentinel alerts you on the map. If you see orange, it is inbound traffic: someone is trying to access your organization from a known malicious IP address. If you see Outbound (red) activity, it means that data from your network is being streamed out of your organization to a known malicious IP address.

 

The map is described above, but its only good if you are looking at it in the UI.  When you click on the map (if you have data) you can see the query that is used. 

Where as an Incident is based on a Analytic Rule that will initiate when the trigger that you define is encountered (maybe based on the map query?).  If you create an Incident rule, it may only be needed for Inbound maliciousIP or a use case you are interested in - as it is the query is probably best for a visualisation rather than an Incident, which would typically require more tuning in the KQL to reduce the noise.

 

#2 your data is used, so maliciousIP is compared to your IP addresses seen in the (up to 6) data sources used. 

1 Like
Reply