Azure Sentinel Daily Task: Investigate Incidents

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good handle on the ins-and-outs of working with Azure Sentinel. I won’t dig deep into those here, but instead give an overview for this specific daily task.

For customers that want deeper dives for Azure Sentinel, you have a few options:

  1. Sift through our docs platform.
  2. Contact your TAM and ask for me by name. 🙂
  3. Use the following link to access a reference page for our Level-400 training: https://aka.ms/SentinelNinja

In fact, this particular blog series is being developed into a workshop on its own and will also cover the additional, deeper knowledge for taking next steps.

NOTE: Depending on the size of the SOC, the daily task covered here is generally associated with a Tier 1 or Tier 2 analyst. For smaller teams, or environments where there is no dedicated security team, this task may be distributed to anyone who has capability to perform it. BUT, this task should definitely be performed daily.

Digging in

The first thing the Azure Sentinel analyst will want to do at the start of each workday is to access the Overview blade in the Azure Sentinel console. The Overview blade is the “dashboard” that appears by default when the Azure Sentinel console is accessed. There’s a ton of good information on the Overview page, but for this specific task I’ll focus on the Recent Incidents section.

The Azure Sentinel analyst will want to take particular note of the Recent Incidents section. This is a good place to start to identify that new Incidents have been automatically created based on the Analytics Rules that have been enabled. If new Incidents show here, you can rest assured that your Analytics Rules are working and that Azure Sentinel is doing its job sifting through the data that it is receiving and applying its intelligence.

(click on each image for a larger view)

Next, now knowing that there are recent incidents available, hop over to the Incidents blade to get a look at what has been generated. Take note of the Open Incidents versus the New Incidents versus those that are In Progress.

Next check the severity of the open Incidents. Knowing that there are High severity Incidents will mean the analyst will need to immediately begin investigating them. If High severity Incidents exist, filter the display by severity.

Once the results display has been filtered the analyst will need to make decisions. Do the incidents need investigated right away? Do the incidents need to be assigned to another analyst?

In cases where there are multi-tiers of analysts, a Tier 1 or Tier 2 analyst may choose to assign the High severity cases to Tier 3 or Tier 4. In cases, where a smaller team exists, the analyst may need to dig in and begin the investigation, taking notes along the way to record the investigation story and develop the case history.

Again, for customers that want deeper dives for Azure Sentinel, either sift through our docs platform or contact your TAM and ask about our Azure Sentinel workshop/POC.

Authors

One thought on “Azure Sentinel Daily Task: Investigate Incidents