Newly Expanded Azure Sentinel Feature for Closing Incidents

Working with Azure Sentinel daily I see new features added regularly. I deliver a weeklong workshop and POC for Azure Sentinel and it’s rare that I don’t discover something new myself during each workshop and then have to learn it and teach about it on-the-fly.

But that’s a good thing. As with everything in Azure, Azure Sentinel features are in constant motion. The improvements are all based on customer feedback and requests.

One brand new feature is sure to make customers happy: We just recently expanded the capabilities when closing an Incident.

Prior to the update you would have three options for Incident status: New, In Progress, and Closed. With this new feature addition, it’s now mandatory to select one of the following options when closing an Incident:

  • True Positive, suspicious activity
  • Benign Positive, suspicious but expected
  • False Positive, incorrect alert logic
  • False Positive, inaccurate data
  • Undetermined

This addition is designed to enable customers to better tune their chosen Analytics Rules and improve the performance of their SOC.

NOTE: The data that is created as part of this new field will soon be available to query through a new Incident Schema table. More on that later…

Authors