What’s new: Similar incidents in Microsoft Sentinel

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

When triaging or investigating an incident, the context of the entirety of incidents in your SOC can be extremely useful. Other incidents involving the same entities for example can represent useful context that will allow you to reach the right decision faster. Now, in public preview, we are happy to announce a new tab in the incident page that lists other incidents that are similar to the incident you are investigating. Some common use cases for using similar incidents are:

 

  • Finding other incidents that might be part of a larger attack story.
  • Using a similar incident as reference for incident handling. The way the previous incident was handled can act as a guide for handling the current one.
  • Finding relevant people in your SOC that have handled similar incidents for guidance or consultation.

 

Similar incidents are calculated based on an algorithm we developed. The algorithm factors in shared entities, shared rule and shared alert details and ranks the results by similarity. Only the 20 most similar incidents from the last 14 days are presented as to not overload analysts, though future improvements will allow configuration of those figures.

 

Ely_Abramovitch_0-1652614224770.png

 

 

This feature is part of our ongoing efforts to provide analysts with the most context possible when investigating an incident to allow for a quick decision making and faster time to resolve. Any suggestion for other improvements to this feature or requests for features that are missing are always appreciated!

 

To read more:

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.