Microsoft Sentinel

Formerly Azure Sentinel

Fortunately, we never reached that stage for the past 2 years, our users have been quite complied with all the Do's and Don'ts that we set from very beginning and it will be a wish to never use them in the future, but looking at the documentation, it is a great process

We have been working on establishing a process to reduce the triaging time by using of incident investigation utilities in Sentinel. For example, we have made a good use of automation rules to define which playbooks to run for many critical and/or repetitive incident categories which helps in speeding up the process of investigation and response. Also, with the help of playbooks, we have been able to provide the initial set of investigation of steps for many frequently occurring low severity incident handled by L1 analysts.

Microsoft Sentinel is one of the products that are being used in the investigation phases. Depending on the incident, multiple Microsoft Portals are used to retrieve the required information to investigate an incident. The mapping between resources and events is really powerful and gives a detailed overview of the incidents.

Just like other SIEM solutions, Sentinel also comes with its perks and features. The incident timeline widget by MS provides a key insight to the analyst about the major progress of the incident helping him to focus on important things. The similar incident widget again helps the analyst to understand the false positives or work on the breach situation wherein multiple solutions are impacted. The Entity tab helps the analyst focus on the IPs, hostnames, and usernames in question.

We do not rely too much on the investigation tools. Investigation will primarily be done with investigation with KQL Queries. The investigation dashboard is looked into to identify the entities and a first overview of the timeline. After that we construct our own timeline by using our own queries

1. Data Query and Search: Microsoft Sentinel provided a powerful query language that allowed analysts to search and filter security data from various sources.
Impact: Analysts quickly retrieved relevant data, which resulted in reducing the time it takes to gather evidence and establish the scope of an incident.
2. Custom Queries and Workbooks: Security analysts created custom queries and workbooks tailored to specific use cases and investigation requirements.
Impact: Customization enhanced the ability to focus on the most critical data and indicators, streamlined investigations and ensured that relevant information is readily available.
3. Interactive Investigation Maps: Sentinel's investigation maps provided a visual representation of the relationships between entities, alerts, and incidents.
Impact: Analysts were able to easily understand the context of an incident, which helped them identify the root cause and tracked lateral movement of threats.
4. Correlation and Alert Aggregation: The tool correlated alerts and security events to identify potential attack patterns and generate incidents.
Impact: Analysts saw the big picture, reduced the alert fatigue, and prioritized investigations based on the severity and impact of incidents.
5. Threat Intelligence Integration: The platform integrates with threat intelligence feeds, enriching investigation data with up-to-date threat information.
Impact: Analysts made informed decisions by understanding the context and relevance of threat indicators, such as malicious IPs, domains, or file hashes.
6. Playbooks and Automation: Security teams created automated playbooks that trigger predefined responses to specific incidents.
Impact: Playbooks accelerated response times, enabling swift mitigation of threats and reducing manual intervention.
7. Case Management: Sentinel offered case management capabilities for tracking and documenting the progress of investigations.
Impact: This feature helped teams collaborate effectively, maintain an audit trail, and ensure investigations are well-documented for compliance and reporting purposes.
9. Visualization and Reporting: Sentinel provided visualization tools and reporting capabilities to present investigation findings effectively.
Impact: Visual representations simplifed communication of findings to stakeholders and management, aiding in decision-making and remediation efforts.

Microsoft Sentinel's investigation tools have had a positive impact on our incident investigation process. It made our investigations faster, more accurate, and more proactive, ultimately strengthening our organization's ability to detect threats effectively.

We can identify hazards in our environment, create incidents and triage them, monitor threats in real time, and do extensive investigations using AI functions. Cyber-attack mitigation. Information security, along with automation, is something that every organization requires right now, and Sentinel is working to achieve it. Automation helps to resolve incidents and alerts quickly, and combined with the scalability that the cloud solution provides, it eliminates the need for the traditional slow local deployment process.

Microsoft Sentinel’s investigation tools really enhance the whole analysis process with its timeline bookmarks while not only correlating events just like any other SIEM but also integrating something that comes directly from the SOAR world, which means correlating incidents and highlighting similar threats that have previously occurred in the infrastructure.

The tool to look for any type of notification that anybody's trying to get into your boundary. When somebody gets a notification, they click on that notification and see what all systems were affected by the possible compromise. So being able to drill down to look at the root cause or whatever caused this alert to take place is part of the investigative process that we use within it. Being able to drill down to the root cause to determine whether it might be true positive or negative, it's beneficial because it helps us to knock it out and move on to the next alert that we might have in the queue and keeps us on hold and helps prevent sock fatigue.

It's pretty good. It cues good visibility and faster response time to my analyst. So it's definitely both.

They're pretty good. Their workbooks are where they really live up to a lot of their consolidation of data, so it's really good. Definitely made it a little bit easier in some questions, it's been good.

No specific way. It depends on the alert and the data, the entities in there.

We use it whenever there's an incident with medium and high. If we get an alert a query or something, we just look it up and see what are the lock from source destination, IP port, it's very helpful. You have everything in one place. Saved me time.