Site icon TheWindowsUpdate.com

What’s new: Similar incidents in Microsoft Sentinel

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

When triaging or investigating an incident, the context of the entirety of incidents in your SOC can be extremely useful. Other incidents involving the same entities for example can represent useful context that will allow you to reach the right decision faster. Now, in public preview, we are happy to announce a new tab in the incident page that lists other incidents that are similar to the incident you are investigating. Some common use cases for using similar incidents are:

 

 

Similar incidents are calculated based on an algorithm we developed. The algorithm factors in shared entities, shared rule and shared alert details and ranks the results by similarity. Only the 20 most similar incidents from the last 14 days are presented as to not overload analysts, though future improvements will allow configuration of those figures.

 

 

 

This feature is part of our ongoing efforts to provide analysts with the most context possible when investigating an incident to allow for a quick decision making and faster time to resolve. Any suggestion for other improvements to this feature or requests for features that are missing are always appreciated!

 

To read more:

Exit mobile version