This article is more than 1 year old
Security pros get ability to manually add incidents to Microsoft Sentinel
*Tappity tappity* Yes the NSA's on the phone. Well maybe the automated log check didn't pick it up yet, Chad!
In an IT world that is increasingly automated, there are still occasions when manual operations are necessary. According to Microsoft, one of these times is when security events are reported to enterprise security operation centers (SOCs).
Reports of such malicious events can come from a range of sources and those that are identified by security event and incident management (SIEM) and extended detection and response (XDR) systems are automatically collected into alerts, which then become incidents.
For Microsoft Sentinel, the company's Azure-based cloud SIEM tool, the two primary sources of incidents are created automatically by detection mechanisms on the logs and alerts that Sentinel pulls in from various connected data sources or ingested directly from other Microsoft services, such as 365 Defender.
"However, at times a possible security breach is reported by other means – such as a phone call, an email, hunting results or a customer request," Michal Shechter, senior product manager of R&D at Microsoft Sentinel, wrote in a blog post Monday. "Those incidents need to be documented when it has been reported, partially investigated, or even resolved."
Given that, Microsoft is introducing a feature to Sentinel to enable security analysts to manually create an incident report and the ability to manually delete the incident if needed.
The new capabilities allow for a single view of all incidents that are triaged, investigated, opened, or closed by an SOC regardless of how the events are reported, Shechter wrote.
"With the 'manual incident creation' feature, analysts can now create an incident manually in the Sentinel portal and also by using the new 'Create incident (preview)' LogicApp action (joining the already existing ability to create an incident through the API)," she wrote. "If an incident was mistakenly logged, or is an exact duplicate of another incident, it can now be deleted from the grid using the new "delete" option or using an API – leaving only audit information in the Log Analytics table."
Azure Sentinel is a relatively new player in an SIEM market that is expected to grow from $2.83 billion in 2019 to $6.24 billion by 2027, according to analysts with research firm The Insight Partners.
Microsoft introduced the cloud-based tool three years ago, competing against the likes of Exabeam Fusion, IBM QRader (which runs on Windows environments), Splunk Enterprise Security, SolarWinds SIEM, and Datadog Security Monitoring.
It provides both SIEM and SOAR (security orchestration, automation, and response) and uses AI techniques to hunt for and investigate threats. Being able to more easily pull in manually created incident reports and sort through them for duplicates or errors will give security administrators and SOCs a more complete picture of the threat environment facing an enterprise.
Shechter wrote that two playbooks in the Sentinel template gallery will enable users to create out-of-the-box incidents that use the email template and Microsoft Forms, which will reduce the time between the SOC learning about the incident and when the incident is logged in Sentinel.
In the Sentinel portal, users can use a "create incident (preview)" button and fill out a number of required fields, including the incident's title, severity, and status. When the user selects "create," the incident is immediately added to the incidents queue. Users can see how to do this here.
- FBI: Look out, crooks stole $1.3b in cryptocurrency in just three months this year
- In the cloud, things aren't always what they SIEM: Microsoft rolls out AI-driven Azure Sentinel
- Microsoft crams Office 365 docs into Edge-style sandboxes to thwart malware infections
- Microsoft widens enterprise access to its threat intelligence pool
If a user opts for using playbooks, they can use the new "create incident (preview)" avenue. The new playbook templates can be found in the playbooks gallery, offering a dedicated email template or a Microsoft Form.
Incidents can be deleted either by using an API or the "delete" button in the incidents grid, according to Shechter. Users can delete one incident or can select multiple incidents and delete them through a bulk action. However, those created in M365D or synchronized with it can't be deleted.
Information about deleting incidents can be found here.
Shechter said the new capabilities for manually creating or deleting incidents are important for giving enterprises a more complete picture of the threats they face and wrote that "more capabilities will be added to Sentinel to allow better case management, and to this feature: such as the ability to relate entities, relate alerts and add evidence." ®