You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/incident-navigate-triage.md
+20-19Lines changed: 20 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,15 +26,15 @@ This article describes how to navigate and run basic triage on your incidents in
26
26
27
27
1. From the Microsoft Sentinel navigation menu, under **Threat management**, select **Incidents**.
28
28
29
-
The **Incidents** page gives you basic information about all of your open incidents.
29
+
The **Incidents** page gives you basic information about all of your open incidents. For example:
30
30
31
-
- Across the top of the screen, you have a toolbar with actions you can take outside of a specific incident—either on the grid as a whole, or on multiple selected incidents. You also have the counts of open incidents, whether new or active, and the counts of open incidents by severity.
31
+
:::image type="content" source="media/investigate-incidents/incident-grid.png" alt-text="Screenshot of view of incident severity." lightbox="media/investigate-incidents/incident-grid.png":::
32
32
33
-
-In the central pane, you have an incident grid, which is a list of incidents as filtered by the filtering controls at the top of the list, and a search bar to find specific incidents.
33
+
-**Across the top of the screen**, you have a toolbar with actions you can take outside of a specific incident—either on the grid as a whole, or on multiple selected incidents. You also have the counts of open incidents, whether new or active, and the counts of open incidents by severity.
34
34
35
-
-On the right side, you have a details pane that shows important information about the incident highlighted in the central list, along with buttons for taking certain specific actions regarding that incident.
35
+
-**In the central pane**, you have an incident grid, which is a list of incidents as filtered by the filtering controls at the top of the list, and a search bar to find specific incidents.
36
36
37
-
:::image type="content" source="media/investigate-incidents/incident-grid.png" alt-text="Screenshot of view of incident severity." lightbox="media/investigate-incidents/incident-grid.png":::
37
+
-**On the side**, you have a details pane that shows important information about the incident highlighted in the central list, along with buttons for taking certain specific actions regarding that incident.
38
38
39
39
1. Your security operations team might have [automation rules](automate-incident-handling-with-automation-rules.md#automatic-assignment-of-incidents) in place to perform basic triage on new incidents and assign them to the proper personnel.
40
40
@@ -64,14 +64,15 @@ This article describes how to navigate and run basic triage on your incidents in
64
64
65
65
1. If the information in the details pane is sufficient to prompt further remediation or mitigation actions, select the **Actions** button at the bottom to do one of the following:
66
66
67
-
-**Investigate:** use the [graphical investigation tool](investigate-incidents.md#investigate-incidents-visually-using-the-investigation-graph) to discover relationships between alerts, entities, and activities, both within this incident and across other incidents.
68
-
69
-
-**Run playbook:** run a [playbook](automate-responses-with-playbooks.md#run-a-playbook-manually) on this incident to take particular [enrichment, collaboration, or response actions](automate-responses-with-playbooks.md#use-cases-for-playbooks) such as your SOC engineers might have made available.
70
-
71
-
-**Create automation rule:** create an [automation rule](automate-incident-handling-with-automation-rules.md#common-use-cases-and-scenarios) that runs only on incidents like this one (generated by the same analytics rule) in the future, in order to reduce your future workload or to account for a temporary change in requirements (such as for a penetration test).
72
-
73
-
-**Create team (Preview):** create a team in Microsoft Teams to collaborate with other individuals or teams across departments on handling the incident.
74
-
67
+
|Action | Description |
68
+
|---------|---------|
69
+
|**Investigate**| Use the [graphical investigation tool](investigate-incidents.md#investigate-incidents-visually-using-the-investigation-graph) to discover relationships between alerts, entities, and activities, both within this incident and across other incidents.|
70
+
|**Run playbook**| Run a [playbook](automate-responses-with-playbooks.md#run-a-playbook-manually) on this incident to take particular [enrichment, collaboration, or response actions](automate-responses-with-playbooks.md#use-cases-for-playbooks) such as your SOC engineers might have made available.|
71
+
|**Create automation rule**| Create an [automation rule](automate-incident-handling-with-automation-rules.md#common-use-cases-and-scenarios) that runs only on incidents like this one (generated by the same analytics rule) in the future, in order to reduce your future workload or to account for a temporary change in requirements (such as for a penetration test). |
72
+
|**Create team (Preview)**| Create a team in Microsoft Teams to collaborate with other individuals or teams across departments on handling the incident. |
73
+
74
+
For example:
75
+
75
76
:::image type="content" source="media/investigate-incidents/incident-actions.png" alt-text="Screenshot of menu of actions that can be performed on an incident from the details pane.":::
76
77
77
78
1. If more information about the incident is needed, select **View full details** in the details pane to open and see the incident's details in their entirety, including the alerts and entities in the incident, a list of similar incidents, and selected top insights.
@@ -149,11 +150,11 @@ Once you resolve a particular incident (for example, when your investigation rea
149
150
150
151
Select **Select classification** and choose one of the following from the drop-down list:
151
152
152
-
- True Positive – suspicious activity
153
-
- Benign Positive – suspicious but expected
154
-
- False Positive – incorrect alert logic
155
-
- False Positive – incorrect data
156
-
- Undetermined
153
+
-**True Positive**– suspicious activity
154
+
-**Benign Positive**– suspicious but expected
155
+
-**False Positive**– incorrect alert logic
156
+
-**False Positive**– incorrect data
157
+
-**Undetermined**
157
158
158
159
:::image type="content" source="media/investigate-incidents/closing-reasons-dropdown.png" alt-text="Screenshot that highlights the classifications available in the Select classification list.":::
159
160
@@ -165,4 +166,4 @@ After choosing the appropriate classification, add some descriptive text in the
165
166
166
167
## Next step
167
168
168
-
For more information, see [Investigate Microsoft Sentinel incidents in depth in the Azure portal](investigate-incidents.md)
169
+
For more information, see [Investigate Microsoft Sentinel incidents in depth in the Azure portal](investigate-incidents.md)
0 commit comments