Skip to content

Incidents

This page contains all the incidents created by your analytic rules, and if you have connected Microsoft Defender XDR, incidents from Defender as well. You can distinguish the source of the incidents by looking at the Incident Provider name column or using the Incident Provider name filter.

The incident

Each incident has a name and an incident number, the incident number is only tied to Sentinel, there is no relationship with incident or alert IDs in Microsoft Defender, but you can find this in the raw logs.

Next you will see the current owner if one is assigned, the status, and severity. All of these can be adjusted directly on the incident.

Now you will see other relevant information for the incident, a description, entities involved, MITRE ATT&CK tactics, etc.

At the very bottom is a comments section where you can leave notes or see enrichment you have set up via Automations.

Tip

If you are ingesting alerts from Microsoft Defender the owner, status, and closure reason will stay in sync. So if you close an alert in Defender it will close in Sentinel, the opposite is also true where if you close an incident in Sentinel it will close in Defender as well.

Note that Microsoft states it can take up to 10 minutes for an incident in Defender to initially show in Sentinel. Once it does show the owner, status, and closure reason stay in realtime sync. Unfortunately comments are not synced currently.

Incident details page

On the incident page you can click View full details to get further information on your incident. On the left-hand side you will now see the same information you previously saw on the incident preview as described above.

In the center of the page you will see the incident timeline on the left. This is just a timeline of the incident's alerts, you can see a timeline with additional information if you select an individual entity. On the bottom there will be a list of similar incidents, this can be useful in spotting a pattern or determining how to best handle the new incident.

On the right you will see Top insights, often this contains UEBA details and activities the various entities involved in the incident have taken. If you select an entity this section will update with all insights for that entity.

Investigate

Clicking the Investigate button in the bottom left-hand corner will pull up a graphical visualization for the incident joining the entities up to the alerts to aid in the investigation of more serious incidents. Selecting a node will pull up some details on it, from there you can select between Timeline, Info, Entities, and Insights. The information here will look identical to the information you were seeing on the incident details page.

Incident actions

On the incident preview you can select Actions or on the incident full detail page in the top right-hand corner there is an Incident actions button. Selecting this will give you a few options:

  • Run playbook
  • Create automation rule
  • Create team (Preview)

Playbooks are great for automating actions on an incident, playbooks leverage Logic apps so the options are endless. You can have a playbook to check the IP entity in an IP database, disable the user associated with the incident, and much more.