January 19, 2023January 19, 2023 Sentinel – New incident experience Table of Contents New incident experience Microsoft Sentinel is your bird’s-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.Microsoft has now published the new incident experience in Sentinel. The new incident page design, along with many new features both for investigation & response and incident management, offers the analyst the information and tools necessary to understand the incident and the scope of breach while making navigation easy and context switching less frequent. New features include, among others: top insights, a new activity log for incident audits and a Log Analytics query window to investigate logs.NOTE: THIS FEATURE IS IN PUBLIC PREVIEW AT THE TIME WRITTEN. Incident outlook experience Section 1 shows the incident details panel (as well as comments field, not shown in the picture.Section 2 shows the Overview which includes triage and investigation tools.Section 3 shows a preview of the entities which details can be look by click the entity items.Section 4 shows similar incidents. Section 5 shows the top insights.Top insights are entity insights specifically chosen by Microsoft’s security experts to give a quick view of the most important information about the entity – is it part of threat intelligence or watchlists, IP’s remote connections, UEBA insights and more. Those insights can speed up triage and understand the nature of the incident and its entities better and faster. Deeper dive to more insights on each entity is provided in the entities tab. Click picture to see it larger. Upper right corned is a incident action drop-down list where you can run playbook, create automation rule and create team (preview) in Microsoft Teams to collaborate with other individuals or teams across the departments on handling the incident. You can also add comments to the incident. The area is under the incident details panel. The Activity log The new activity log includes the comments and audits of the incident, whether manual or automated, such as severity or status change, playbook triggered, alerts added and more. The log is auto-refreshed (even when scrolled or when a comment is being written), so that collaboration is made simple and new audits or comments by other analysts or automation are added – even when the analyst is scrolling the feed.Activity log as well as Refresh, Delete Incident, Logs (from Log analytics workspace) and Tasks (Preivew) are found on top of the page under Indicent title. Tasks (Preview) Standardizing and formalizing the list of tasks an analyst should follow when triaging, investigating or remediating an incident can help keep your SOC running smoothly, ensuring the same requirements apply to all analysts. Those tasks, whether pre-populated by automation rules and playbooks or manually added, are now embedded into the new incident page. Tasks can be followed by the analyst according to the different stages of the triage, investigation and remediation and marked as completed when done Log analytics query possibility The Log Analytics panel now opens within the incident, providing the ability to query tables and dive to evidence, while still inside the incident and entities and incident details are visible. Triggering the logs panel is possible both from a dedicated button or when selecting specific evidence from the incident. Details about alerts and bookmarks are presented in the context of the timeline (just click on the element), and the links to specific tables and query results will open in a panel on the side. Bookmarks can also be added directly from this panel. Entities Entities now have a lot of information in the context of the incident, including details on the specific entity (geo-location for IP addresses for example), the entity’s timeline where alerts related to the entity can be added to the incident, and entity insights. Those insights include the top insights from the overview tab and more specific insights that allow a deeper dive. Actions on the entities, such as triggering a playbook or add the entity to Threat Intelligence, are available both from the entities grid in a dedicated tab and the entities widget. Entities info Entities timeline Conclusion and detailed information I think this new incident experience is better than the old one because I can see a lot of information and thats why I don’t need to jump between different views as before. There are many links to even deeper information but it’s a life. Sentinel has been developed still a lot in previous years, especially in 2022. More details on Microsoft Learn (click titles below which are actually links)Navigate and investigate incidents in Microsoft SentinelUnderstand Microsoft Sentinel’s incident investigation and case management capabilitiesMicrosoft Techcommunity link about this Sentinel Incident Experience by Michal Schecter Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe SENTINEL XDR
SENTINEL Modernizing your on-prem SIEM with Microsoft Sentinel – part 2 July 4, 2025July 4, 2025 So you want to migrate your on-prem SIEM to Microsoft Sentinel? What kind of tasks… Read More
SENTINEL Modernizing your on-prem SIEM with Microsoft Sentinel – part 1 June 27, 2025June 27, 2025 Are you wondering to transfer your classic on-prem SIEM to fancy and modernized cloud SIEM. Read my suggestions of the advances of Microsoft Sentinel Read More
SENTINEL Microsoft Sentinel All-in-One v2 June 8, 2023January 15, 2024 What is Microsoft Sentinel? Table of Contents Update Jan 15th, 2024:There’s a good Microsoft Sentinel-All-One… Read More