It sure would be nice for Sentinel to report what user accounts generated Alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-1275519%22%20slang%3D%22en-US%22%3EIt%20sure%20would%20be%20nice%20for%20Sentinel%20to%20report%20what%20user%20accounts%20generated%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1275519%22%20slang%3D%22en-US%22%3E%3CP%3ESentinel's%20main%20screen%20is%20reporting%2015%20alerts%20for%20me%20during%20the%20last%2024%20hours.%26nbsp%3B%20I%20click%20on%20the%20Alerts%20count%20and%20it%20drops%20me%20into%20Log%20Analytics%20and%20runs%20the%20Alerts%20query.%26nbsp%3B%20Great.%3C%2FP%3E%3CP%3EThe%20results%20show%20things%20like%20this.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jsebast1245_0-1585838666312.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F181623iEC6625F77C15C68C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22jsebast1245_0-1585838666312.png%22%20alt%3D%22jsebast1245_0-1585838666312.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECool%2C%20this%20is%20all%20useful%20information.%26nbsp%3B%20If%20I%20open%20any%20of%20these%2C%20there%20is%20no%20information%20on%20what%20user%20generated%20the%20issue%20or%20what%20file%20was%20edited.%26nbsp%3B%20Would%20not%20the%20next%20logical%20step%20be%20for%20me%20to%20find%20out%20from%20the%20user%20that%20generated%20these%20alerts%20what%20they%20were%20doing%20to%20cause%20the%20alert%20to%20fire%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1384451%22%20slang%3D%22en-US%22%3ERe%3A%20It%20sure%20would%20be%20nice%20for%20Sentinel%20to%20report%20what%20user%20accounts%20generated%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1384451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F602883%22%20target%3D%22_blank%22%3E%40jsebast1245%3C%2FA%3E%3A%20You%20might%20want%20to%20start%20with%20the%20incidents%20screen%20which%20will%20provide%20more%20information%20on%20the%20latest%20incidents%2C%20including%20the%20relevant%20entities.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470939%22%20slang%3D%22en-US%22%3ERe%3A%20It%20sure%20would%20be%20nice%20for%20Sentinel%20to%20report%20what%20user%20accounts%20generated%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470939%22%20slang%3D%22en-US%22%3E%3CP%3EStill%20doesn't%20seem%20very%20useful%20to%20me%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jsebast1245_0-1592406562947.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199245i6D34B469297F4673%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22jsebast1245_0-1592406562947.png%22%20alt%3D%22jsebast1245_0-1592406562947.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jsebast1245_1-1592406625413.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199246iE0BE7AFE0A2EE558%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22jsebast1245_1-1592406625413.png%22%20alt%3D%22jsebast1245_1-1592406625413.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jsebast1245_2-1592406869848.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199247iE6E0FCE1D68917AB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22jsebast1245_2-1592406869848.png%22%20alt%3D%22jsebast1245_2-1592406869848.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20links%20to%20alerts%20and%20events%20but%20no%20info%20on%20what%20the%20actual%20action%20taken%20by%20AntiMalWare%20was%20which%20is%20really%20the%20information%20I'd%20expect%20this%20all%20to%20produce%20for%20me%20and%20which%20is%20what%20I'd%20be%20interesting%20in%20knowing%20from%20this%20incident.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Sentinel's main screen is reporting 15 alerts for me during the last 24 hours.  I click on the Alerts count and it drops me into Log Analytics and runs the Alerts query.  Great.

The results show things like this.

jsebast1245_0-1585838666312.png

 

Cool, this is all useful information.  If I open any of these, there is no information on what user generated the issue or what file was edited.  Would not the next logical step be for me to find out from the user that generated these alerts what they were doing to cause the alert to fire? 

2 Replies

@jsebast1245: You might want to start with the incidents screen which will provide more information on the latest incidents, including the relevant entities.  

Still doesn't seem very useful to me:

jsebast1245_0-1592406562947.png

jsebast1245_1-1592406625413.png

 

jsebast1245_2-1592406869848.png

 

There are links to alerts and events but no info on what the actual action taken by AntiMalWare was which is really the information I'd expect this all to produce for me and which is what I'd be interesting in knowing from this incident.