New Blog Post | "How to reduce incident triage and investigation times using dynamic alert details”

%3CLINGO-SUB%20id%3D%22lingo-sub-2709091%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20%22How%20to%20reduce%20incident%20triage%20and%20investigation%20times%20using%20dynamic%20alert%20details%E2%80%9D%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2709091%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AshleyMartin_0-1630526718056.png%22%20style%3D%22width%3A%20684px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307423i24F805CC2AF6CB15%2Fimage-dimensions%2F684x253%3Fv%3Dv2%22%20width%3D%22684%22%20height%3D%22253%22%20role%3D%22button%22%20title%3D%22AshleyMartin_0-1630526718056.png%22%20alt%3D%22AshleyMartin_0-1630526718056.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Falert-enrichment-quot-how-to-reduce-incident-triage-and%2Fba-p%2F2687271%22%20target%3D%22_blank%22%3EAlert%20enrichment%20%22how%20to%20reduce%20incident%20triage%20and%20investigation%20times%20using%20dynamic%20alert%20details%E2%80%9D%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EGenerally%2C%20the%20purpose%20of%20%E2%80%9Calert%20enrichment%E2%80%9D%20is%20to%20allow%20customization%20of%20the%20Alert%20created%20from%20the%20detection.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20main%20goal%20is%20to%20reduce%20the%20time%20it%20takes%20to%20the%20analyst%20to%20triage%20and%20handle%20the%20incident.%26nbsp%3BThe%20same%20applies%20for%20%E2%80%9CAlert%20details%E2%80%9D%20dynamic%20content.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EIn%20Azure%20Sentinel%20when%20you%20create%20a%20detection%20(an%20analytics%20rule)%2C%20the%20rule%20name%20(and%20the%20description%2C%20MITRE%20tactics%20and%20severity)%20will%20populate%20the%20alerts%20created%20from%20that%20rule.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ENow%20let%E2%80%99s%20try%20and%20examine%20the%20following%20case%20study%20to%20see%20how%20we%20can%20leverage%20the%20%E2%80%9CAlert%20details%E2%80%9D%20dynamic%20content%20for%20better%20investigation%20and%20incident%20handling.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2709091%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

AshleyMartin_0-1630526718056.png

Alert enrichment "how to reduce incident triage and investigation times using dynamic alert details”...

Generally, the purpose of “alert enrichment” is to allow customization of the Alert created from the detection. 

The main goal is to reduce the time it takes to the analyst to triage and handle the incident. The same applies for “Alert details” dynamic content.
In Azure Sentinel when you create a detection (an analytics rule), the rule name (and the description, MITRE tactics and severity) will populate the alerts created from that rule.
Now let’s try and examine the following case study to see how we can leverage the “Alert details” dynamic content for better investigation and incident handling.

 

0 Replies