Top New Incident Experience Features for Microsoft Sentinel
Rollin', rollin', rollin' -- RAWHIDE!
A new, much anticipated feature has rolled out (for some, it’s in the midst of rollout) - the new Microsoft Sentinel Incident experience.
I’m not going to go into great detail here in hopes you’ll attend the upcoming webinar entitled: Microsoft Sentinel Webinar | Announcing the new Microsoft Sentinel incident investigation experience!
But instead, I’ll give you a quick preview of what you can expect.
New Rollout Model?
This release represents, what I hope, is a new model in feature rollouts. If you’ve been following me on Twitter and/or reading the weekly Microsoft Sentinel newsletter, your attention should have been directed to a banner announcement in each Microsoft Sentinel Incident. This banner was a precursor, preparing customers for the forthcoming feature.
As part of this new rollout model, you’re not only alerted to the coming feature, but once rolled out, you have the opportunity to switch back and forth from the old experience and the new one.
This new Incident experience delivers several new capabilities to enable a much richer environment from which you can derive more information, quicker. And it makes the Incident itself more interactive.
Activity Log
As shown in the next image, the full activity log of the Incident is accessible directly from the Incident menu.
This feature also gives analysts the ability to add comments on the activity information, similar to how the Tasks feature works.
Using this option produces a panel overlay so you stay in the Incident and never have to be transported elsewhere in the Microsoft Sentinel console.
It’s worth nothing that this feature replaces the old Comments tab in the old experience.
So, when you enter comments, or use some automation to enrich the Incident by adding comments for things like the IP source, it will go to this panel.
Sadly, this feature does not support inline images like the old version.
Logs Access
The overlay is also the case with the Logs function. Prior to this capability, analysts would need to jump directly to the Logs blade to perform manual querying for data enrichment, which took focus away from the actual Incident.
When this function is utilized, the Logs blade is also shown in an overlaid window so it’s not necessary to leave the Incident to look for additional data.
Incidentally, this Logs overlay does not support new query Tabs like the standard Logs blade does.
Incident Actions
Another piece of the new Incident experience is the Incident Actions option.
Incident Actions provides a quick list of things that can be done against the open Incident such as running a Playbook, creating an Automation Rule, of creating a Teams channel for a War Room scenario. These options have been available elsewhere, but this consolidation provides better efficiency.
Top Insights
The Top Insights feature provides yet another level of data efficiency by surfacing more about the Incident, including things like Sign-ins over time, IP address with remote connections, anomalously high number of security events and more.
This is a growing list of insights, that are specifically selected by our security researchers and experts.
When additional insights are available for the specific Incident, it will automatically display in the Top Insights panel.
And - don’t miss it! But there are more Insights in the Entities tab!
Alert Info
The new Alert Info feature looks very similar to the old Incident experience’s information panel.
Clicking on an alert or bookmark in the new Timeline panel, produces familiar concepts like severity information, MITRE ATT&CK tactics and techniques, Rule name, etc.
This new Incident experience (IMO) is a huge improvement over the old experience and is something that has been needed for a long while. I’m positive this will introduce better enrichment and bigger efficiency, enabling Microsoft Sentinel customers to identify, triage, manage, and close-out security incidents even quicker than before.
Like it? Hate it? Let me know once you’ve had time to play with it.
The Docs for this new Incident experience are available now.
Learn more about the new investigation experience:
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]
Looks great! Can images be posted inline with comments?