You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[!INCLUDE [Banner for top of topics](./includes/banner.md)]
14
-
15
12
In this article, you will learn how to quickly be able to view and monitor what's happening across your environment using Microsoft Sentinel. After you connected your data sources to Microsoft Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Microsoft Sentinel gives you workbooks that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use built-in workbooks or create a new workbook easily, from scratch or based on an existing workbook.
16
13
17
14
## Get visualization
18
15
19
-
To visualize and get analysis of what's happening on your environment, first, take a look at the overview dashboard to get an idea of the security posture of your organization. You can click on each element of these tiles to drill down to the raw data from which they are created. To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses a fusion technique to correlate alerts into incidents. **Incidents** are groups of related alerts that together create an actionable incident that you can investigate and resolve.
16
+
To visualize and get analysis of what's happening on your environment, first, take a look at the overview dashboard to get an idea of the security posture of your organization. To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses a fusion technique to correlate alerts into incidents. **Incidents** are groups of related alerts that together create an actionable incident that you can investigate and resolve.
17
+
18
+
In the Azure portal, select Microsoft Sentinel and then select the workspace you want to monitor.
19
+
20
+
:::image type="content" source="./media/qs-get-visibility/overview.png" alt-text="Screenshot of the Microsoft Sentinel overview page." lightbox="./media/qs-get-visibility/overview.png":::
21
+
22
+
If you want to refresh the data for all sections of the dashboard, select **Refresh** at the top of the dashboard. To improve performance, the data for each section of the dashboard is pre-calculated, and you can see the refresh time at the top of each section.
23
+
24
+
### View incident data
25
+
26
+
You see different types of incident data under **Incidents**.
27
+
28
+
:::image type="content" source="./media/qs-get-visibility/incidents.png" alt-text="Screenshot of the Incidents section in the Microsoft Sentinel Overview page." lightbox="./media/qs-get-visibility/incidents.png":::
29
+
30
+
- On the top left, you see the number of new, active, and closed incidents over the last 24 hours.
31
+
- On the top right, you see incidents organized by severity, and closed incidents by closing classification.
32
+
- On the bottom left, a graph breaks up the incident status by creation time, in four hour intervals.
33
+
- On the bottom right, you can see the mean time to acknowledge an incident and mean time to close, with a link to the SOC efficiency workbook.
34
+
35
+
### View automation data
20
36
21
-
- In the Azure portal, select Microsoft Sentinel and then select the workspace you want to monitor.
37
+
You see different types of automation data under **Automation**.
:::image type="content" source="./media/qs-get-visibility/automation.png" alt-text="Screenshot of the Automation section in the Microsoft Sentinel Overview page." lightbox="./media/qs-get-visibility/automation.png":::
24
40
25
-
- The toolbar across the top tells you how many events you got over the time period selected, and it compares it to the previous 24 hours. The toolbar tells you from these events, the alerts that were triggered (the small number represents change over the last 24 hours), and then it tells you for those events, how many are open, in progress, and closed. Check to see that there isn't a dramatic increase or drop in the number of events. If there is a drop, it could be that a connection stopped reporting to Microsoft Sentinel. If there is an increase, something suspicious may have happened. Check to see if you have new alerts.
41
+
- At the top, you see a summary of the automation rules activity: Incidents closed by automation, the time the automation saved, and related playbooks health.
42
+
- Below the summary, a graph summarizes the numbers of actions performed by automation, by type of action.
43
+
- At the bottom, you can find a count of the active automation rules with a link to the automation blade.
### View status of data records, data collectors, and threat intelligence
28
46
29
-
The main body of the overview page gives insight at a glance into the security status of your workspace:
47
+
You see different types of data on data records, data collectors, and threat intelligence under **Data**.
30
48
31
-
-**Events and alerts over time**: Lists the number of events and how many alerts were created from those events. If you see a spike that's unusual, you should see alerts for it - if there's something unusual where there is a spike in events but you don't see alerts, it might be cause for concern.
49
+
:::image type="content" source="./media/qs-get-visibility/data.png" alt-text="Screenshot of the Data section in the Microsoft Sentinel Overview page." lightbox="./media/qs-get-visibility/data.png":::
32
50
33
-
-**Potential malicious events**: When traffic is detected from sources that are known to be malicious, Microsoft Sentinel alerts you on the map. If you see orange, it is inbound traffic: someone is trying to access your organization from a known malicious IP address. If you see Outbound (red) activity, it means that data from your network is being streamed out of your organization to a known malicious IP address.
51
+
- On the left, a graph shows the number of records that Microsoft Sentinel collected in the last 24 hours, compared to the previous 24 hours, and anomalies detected in that time period.
52
+
- On the top right, you see a summary of the data connector status, divided by unhealthy and active connectors. **Unhealthy connectors** indicate how many connectors have errors. **Active connectors** are connectors with data streaming into Microsoft Sentinel, as measured by a query included in the connector.
53
+
- On the bottom right, you can see threat intelligence records in Microsoft Sentinel, by indicator of compromise.
-**Recent incidents**: To view your recent incidents, their severity and the number of alerts associated with the incident. If you see a sudden peak in a specific type of alert, it could mean that there is an active attack currently running. For example, if you have a sudden peak of 20 Pass-the-hash events from Microsoft Defender for Identity (formerly Azure ATP), it's possible that someone is currently trying to attack you.
57
+
You see data for analytics rules under **Analytics**.
38
58
39
-
-**Data source anomalies**: Microsoft's data analysts created models that constantly search the data from your data sources for anomalies. If there aren't any anomalies, nothing is displayed. If anomalies are detected, you should deep dive into them to see what happened. For example, click on the spike in Azure Activity. You can click on **Chart** to see when the spike happened, and then filter for activities that occurred during that time period to see what caused the spike.
59
+
:::image type="content" source="./media/qs-get-visibility/analytics.png" alt-text="Screenshot of the Analytics section in the Microsoft Sentinel Overview page.":::
40
60
41
-
61
+
You see the number of analytics rules in Microsoft Sentinel, by enabled, disabled, or auto-disabled status.
0 commit comments