You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/best-practices.md
+9-8Lines changed: 9 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -52,21 +52,22 @@ More than ingesting alerts and logs from other sources, Microsoft Sentinel also:
52
52
- Provides **[threat response capabilities](overview.md#respond-to-incidents-rapidly)**, such as playbooks that integrate with Azure services and your existing tools.
53
53
-**Integrates with partner platforms** using [Microsoft Sentinel data connectors](connect-data-sources.md), providing essential services for SOC teams.
54
54
55
-
## Incident management and response
55
+
## Plan incident management and response process
56
56
57
57
The following image shows recommended steps in an incident management and response process.
The following table provides high-level descriptions for how to use Microsoft Sentinel features for incident management and response. For more information, see [Investigate incidents with Microsoft Sentinel](investigate-cases.md).
61
+
The following table provides high-level incident management and response tasks and related best practices. For more information, see [Microsoft Sentinel incident investigation in the Azure portal](investigate-incidents.md) or [Incidents and alerts in the Microsoft Defender portal](/defender-xdr/incidents-overview).
62
62
63
-
64
-
|Capability |Best practice |
63
+
|Task |Best practice |
65
64
|---------|---------|
66
-
|Incidents| Any generated incidents are displayed on the **Incidents** page, which serves as the central location for triage and early investigation. The **Incidents** page lists the title, severity, and related alerts, logs, and any entities of interest. Incidents also provide a quick jump into collected logs and any tools related to the incident. |
67
-
|Investigation graph | The **Incidents** page works together with the **Investigation graph**, an interactive tool that allows users to explore and dive deep into an alert to show the full scope of an attack. Users can then construct a timeline of events and discover the extent of a threat chain.<br><br>Discover key entities, such as accounts, URLs, IP address, host names, activities, timeline, and more. Use this data to understand whether you have a [false positive](false-positives.md) on hand, in which case you can close the incident directly.<br><br>If you discover that the incident is a true positive, take action directly from the **Incidents** page to investigate logs, entities, and explore the threat chain. After you identified the threat and created a plan of action, use other tools in Microsoft Sentinel and other Microsoft security services to continue investigating. |
68
-
|Information visualization | To visualize and get analysis of what's happening on your environment, first, take a look at the Microsoft Sentinel overview dashboard to get an idea of the security posture of your organization. For more information, see [Visualize collected data](get-visibility.md). <br><br>In addition to information and trends on the Microsoft Sentinel overview page, workbooks are valuable investigative tools. For example, use the [Investigation Insights](top-workbooks.md#investigation-insights) workbook to investigate specific incidents together with any associated entities and alerts. This workbook enables you to dive deeper into entities by showing related logs, actions, and alerts. |
69
-
|Threat hunting | While investigating and searching for root causes, run built-in threat hunting queries and check results for any indicators of compromise. For more information, see [Threat hunting in Microsoft Sentinel](hunting.md).<br><br>During an investigation, or after having taken steps to remediate and eradicate the threat, use [livestream](livestream.md). Livestream allows you to monitor, in real time, whether there are any lingering malicious events, or if malicious events are still continuing. |
65
+
|Review Incidents page| Review an incident on the **Incidents** page, which lists the title, severity, and related alerts, logs, and any entities of interest. You can also jump from incidents into collected logs and any tools related to the incident. |
66
+
|Use Incident graph | Review the **Incident graph** for an incident to see the full scope of an attack. You can then construct a timeline of events and discover the extent of a threat chain. |
67
+
|Review incidents for false positives |Use data about key entities, such as accounts, URLs, IP address, host names, activities, timeline to understand whether you have a [false positive](false-positives.md) on hand, in which case you can close the incident directly.<br><br>If you discover that the incident is a true positive, take action directly from the **Incidents** page to investigate logs, entities, and explore the threat chain. After you identified the threat and created a plan of action, use other tools in Microsoft Sentinel and other Microsoft security services to continue investigating. |
68
+
|Visualize information | Take a look at the Microsoft Sentinel overview dashboard to get an idea of the security posture of your organization. For more information, see [Visualize collected data](get-visibility.md). <br><br>In addition to information and trends on the Microsoft Sentinel overview page, workbooks are valuable investigative tools. For example, use the [Investigation Insights](top-workbooks.md#investigation-insights) workbook to investigate specific incidents together with any associated entities and alerts. This workbook enables you to dive deeper into entities by showing related logs, actions, and alerts. |
69
+
|Hunt for threats | While investigating and searching for root causes, run built-in threat hunting queries and check results for any indicators of compromise. For more information, see [Threat hunting in Microsoft Sentinel](hunting.md).|
70
+
|Use livestream |During an investigation, or after having taken steps to remediate and eradicate the threat, use [livestream](livestream.md). Livestream allows you to monitor, in real time, whether there are any lingering malicious events, or if malicious events are still continuing. |
70
71
|Entity behavior | Entity behavior in Microsoft Sentinel allows users to review and investigate actions and alerts for specific entities, such as investigating accounts and host names. For more information, see:<br><br>- [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](enable-entity-behavior-analytics.md)<br>- [Investigate incidents with UEBA data](investigate-with-ueba.md)<br>- [Microsoft Sentinel UEBA enrichments reference](ueba-reference.md)|
71
72
|Watchlists | Use a watchlist that combines data from ingested data and external sources, such as enrichment data. For example, create lists of IP address ranges used by your organization or recently terminated employees. Use watchlists with playbooks to gather enrichment data, such as adding malicious IP addresses to watchlists to use during detection, threat hunting, and investigations. <br><br>During an incident, use watchlists to contain investigation data, and then delete them when your investigation is done to ensure that sensitive data doesn't remain in view. <br><br> For more information, see [Watchlists in Microsoft Sentinel](watchlists.md). |
0 commit comments