Blog

Incident Management in Microsoft Sentinel – Create and delete incidents

During the everyday work of the SOC, suspicious and malicious events surface from many sources. Events which are identified by SIEM and XDR systems are aggregated into alerts, and those alerts become incidents. However, at times a possible security breach is reported by other means – such as a phone call, an email, hunting results or a customer request. Those incidents need to be documented when it has been reported, partially investigated, or even resolved.

 

Today we would like to announce the “Manual incident creation” feature, along with the “Delete incident” capability. With the “manual incident creation” feature, analysts can now create an incident manually in the Sentinel portal or by using the new “Create incident (preview)” LogicApp action (joining the already existing ability to create an incident through the API). If an incident was mistakenly logged, or is an exact duplicate of another incident, it can now be deleted from the grid using the new “delete” option or using an API – leaving only audit information in the Log Analytics table.

 

Two playbooks templated are available in the template gallery, allowing out of the box incident creation using email template and Microsoft Forms – thus reducing the time between the SOC learning about the incident and the time the incident is logged in Sentinel.

 

Manually creating an incident using the Sentinel portal:

You can easily create an incident using the “Create incident (preview)” button. There are some required fields such as the incident’s title, severity, and status. When “Create” is selected, the incident is immediately added to the incidents queue. Documentation on how to manually create incidents can be found here: https://docs.microsoft.com/azure/sentinel/create-incident-manually.

 

 

Manually creating an incident using LogicApp action:

To create an incident using playbooks, use the new “Create incident (preview)” action.

The new playbook templates now available in the playbooks gallery allow to easily create playbooks that create incident when an incident is reported to the SOC using a dedicated email template or using a Microsoft Form.

 

 

Deleting an incident using the Sentinel portal

Incidents can be deleted using an API or using the “Delete” button in the incidents grid. It’s possible to delete just one incident, or to select multiple incidents and delete them by a bulk action. Incidents generated in or synchronized with M365D can’t be deleted.

Documentation for this feature is available here: https://docs.microsoft.com/azure/sentinel/delete-incident.

 

 

 

 

Conclusion

These new case management capabilities allow a single pane of glass for all incidents triaged and investigated by the SOC, open or closed, regardless of their origin. More capabilities will be added to Sentinel to allow better case management, and to this feature: such as the ability to relate entities, relate alerts and add evidence. 

 

No Comments

Leave a Reply

Getting started with Azure Static Web AppsBreaking Change notice: Upgrade to latest version of Operations Manager agent (MMA) by 1 Nov 2022

Contact Us

We are always here to help. Please reach out to us and we'll get back to you as soon as possible.

Address:

Maruti Court, Ground Floor
Mvuli Road, Nairobi, Kenya

Phone:

+254716973110

Hours:

Mon-Fri 8am – 5pm
Sat 9am – 1am
Sun & Holidays Closed




    Generated by Feedzy