Microsoft Sentinel Potentially malicious events and Incidents

%3CLINGO-SUB%20id%3D%22lingo-sub-3222264%22%20slang%3D%22en-US%22%3EMicrosoft%20Sentinel%20Potentially%20malicious%20events%20and%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3222264%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I'm%20relatively%20new%20to%20MS%20Sentinel%20and%20have%20investigated%20some%20incidents%20but%20found%20the%20Potentially%20malicious%20events%20on%20the%20Overview%20page.%20There%20were%20a%20lot%20of%20events%20on%20this%20map%20but%20no%20incidents%20reported.%20My%20questions%20are%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20What%20is%20the%20difference%20between%20the%20Potentially%20malicious%20events%20and%20Incidents%20in%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Do%20the%20events%20in%20the%20Potentially%20malicious%20events%20map%20relate%20to%20activity%20that%20affects%20your%20environment%20or%20does%20it%20apply%20more%20to%20the%20activity%20that%20the%20MS%20TI%20team%20is%20seeing%20in%20the%20wild%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3CP%3EJennifer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3222264%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMonitoring%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3222829%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Sentinel%20Potentially%20malicious%20events%20and%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3222829%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1319974%22%20target%3D%22_blank%22%3E%40JBWfH2365%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%231%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fget-visibility%23get-visualization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fget-visibility%23get-visualization%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CEM%3EPotential%20malicious%20events%3A%20When%20traffic%20is%20detected%20from%20sources%20that%20are%20known%20to%20be%20malicious%2C%20Microsoft%20Sentinel%20alerts%20you%20on%20the%20map.%20If%20you%20see%20orange%2C%20it%20is%20inbound%20traffic%3A%20someone%20is%20trying%20to%20access%20your%20organization%20from%20a%20known%20malicious%20IP%20address.%20If%20you%20see%20Outbound%20(red)%20activity%2C%20it%20means%20that%20data%20from%20your%20network%20is%20being%20streamed%20out%20of%20your%20organization%20to%20a%20known%20malicious%20IP%20address.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20map%20is%20described%20above%2C%20but%20its%20only%20good%20if%20you%20are%20looking%20at%20it%20in%20the%20UI.%26nbsp%3B%20When%20you%20click%20on%20the%20map%20(if%20you%20have%20data)%20you%20can%20see%20the%20query%20that%20is%20used.%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20as%20an%20Incident%20is%20based%20on%20a%20Analytic%20Rule%20that%20will%20initiate%20when%20the%20trigger%20that%20you%20define%20is%20encountered%20(maybe%20based%20on%20the%20map%20query%3F).%26nbsp%3B%20If%20you%20create%20an%20Incident%20rule%2C%20it%20may%20only%20be%20needed%20for%20Inbound%20maliciousIP%20or%20a%20use%20case%20you%20are%20interested%20in%20-%20as%20it%20is%20the%20query%20is%20probably%20best%20for%20a%20visualisation%20rather%20than%20an%20Incident%2C%20which%20would%20typically%20require%20more%20tuning%20in%20the%20KQL%20to%20reduce%20the%20noise.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%232%20your%20data%20is%20used%2C%20so%20maliciousIP%20is%20compared%20to%20your%20IP%20addresses%20seen%20in%20the%20(up%20to%206)%20data%20sources%20used.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi, I'm relatively new to MS Sentinel and have investigated some incidents but found the Potentially malicious events on the Overview page. There were a lot of events on this map but no incidents reported. My questions are:

 

1. What is the difference between the Potentially malicious events and Incidents in Sentinel?

 

2. Do the events in the Potentially malicious events map relate to activity that affects your environment or does it apply more to the activity that the MS TI team is seeing in the wild?

 

Thank you!

Jennifer

1 Reply

@JBWfH2365 

 

#1

https://docs.microsoft.com/en-us/azure/sentinel/get-visibility#get-visualization

Potential malicious events: When traffic is detected from sources that are known to be malicious, Microsoft Sentinel alerts you on the map. If you see orange, it is inbound traffic: someone is trying to access your organization from a known malicious IP address. If you see Outbound (red) activity, it means that data from your network is being streamed out of your organization to a known malicious IP address.

 

The map is described above, but its only good if you are looking at it in the UI.  When you click on the map (if you have data) you can see the query that is used. 

Where as an Incident is based on a Analytic Rule that will initiate when the trigger that you define is encountered (maybe based on the map query?).  If you create an Incident rule, it may only be needed for Inbound maliciousIP or a use case you are interested in - as it is the query is probably best for a visualisation rather than an Incident, which would typically require more tuning in the KQL to reduce the noise.

 

#2 your data is used, so maliciousIP is compared to your IP addresses seen in the (up to 6) data sources used.