You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[New in docs: Best practice guidance](#new-in-docs-best-practice-guidance)
35
+
36
+
### Advanced incident search (Public preview)
37
+
38
+
By default, incident searches run across the **Incident ID**, **Title**, **Tags**, **Owner**, and **Product name** values only. Azure Sentinel now provides [advanced search options](investigate-cases.md#search-for-incidents) to search across more data, including alert details, descriptions, entities, tactics, and more.
39
+
40
+
For example:
41
+
42
+
:::image type="content" source="media/investigate-cases/advanced-search.png" alt-text="Screenshot of the Incidents page advanced search options.":::
43
+
44
+
For more information, see [Search for incidents](investigate-cases.md#search-for-incidents).
45
+
46
+
### Fusion detection for Ransomware (Public preview)
47
+
48
+
Azure Sentinel now provides new Fusion detections for possible Ransomware activities, generating incidents titled as **Multiple alerts possibly related to Ransomware activity detected**.
49
+
50
+
Incidents are generated for alerts that are possibly associated with Ransomware activities, when they occur during a specific time-frame, and are associated with the Execution and Defense Evasion stages of an attack. You can use the alerts listed in the incident to analyze the techniques possibly used by attackers to compromise a host / device and to evade detection.
For more information, see [Multiple alerts possibly related to Ransomware activity detected](fusion.md#fusion-for-ransomware).
61
+
62
+
### Watchlist templates for UEBA data (Public preview)
63
+
64
+
Azure Sentinel now provides built-in watchlist templates for UEBA data, which you can customize for your environment and use during investigations.
65
+
66
+
After UEBA watchlists are populated with data, you can correlate that data with analytics rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users, and more.
67
+
68
+
Watchlist templates currently include:
69
+
70
+
-**VIP Users**. A list of user accounts of employees that have high impact value in the organization.
71
+
-**Terminated Employees**. A list of user accounts of employees that have been, or are about to be, terminated.
72
+
-**Service Accounts**. A list of service accounts and their owners.
73
+
-**Identity Correlation**. A list of related user accounts that belong to the same person.
74
+
-**High Value Assets**. A list of devices, resources, or other assets that have critical value in the organization.
75
+
-**Network Mapping**. A list of IP subnets and their respective organizational contexts.
76
+
77
+
For more information, see [Create watchlists in Microsoft Sentinel](watchlists-create.md) and [Built-in watchlist schemas](watchlist-schemas.md).
The Azure Sentinel Information Model (ASIM) now supports a File Event normalization schema, which is used to describe file activity, such as creating, modifying, or deleting files or documents. File events are reported by operating systems, file storage systems such as Azure Files, and document management systems such as Microsoft SharePoint.
-[Data collection best practices](best-practices-data.md)
103
+
104
+
> [!TIP]
105
+
> You can find more guidance added across our documentation in relevant conceptual and how-to articles. For more information, see [Best practice references](best-practices.md#best-practice-references).
-[New in docs: Best practice guidance](#new-in-docs-best-practice-guidance)
764
-
765
-
### Advanced incident search (Public preview)
766
-
767
-
By default, incident searches run across the **Incident ID**, **Title**, **Tags**, **Owner**, and **Product name** values only. Azure Sentinel now provides [advanced search options](investigate-cases.md#search-for-incidents) to search across more data, including alert details, descriptions, entities, tactics, and more.
768
-
769
-
For example:
770
-
771
-
:::image type="content" source="media/investigate-cases/advanced-search.png" alt-text="Screenshot of the Incidents page advanced search options.":::
772
-
773
-
For more information, see [Search for incidents](investigate-cases.md#search-for-incidents).
774
-
775
-
### Fusion detection for Ransomware (Public preview)
776
-
777
-
Azure Sentinel now provides new Fusion detections for possible Ransomware activities, generating incidents titled as **Multiple alerts possibly related to Ransomware activity detected**.
778
-
779
-
Incidents are generated for alerts that are possibly associated with Ransomware activities, when they occur during a specific time-frame, and are associated with the Execution and Defense Evasion stages of an attack. You can use the alerts listed in the incident to analyze the techniques possibly used by attackers to compromise a host / device and to evade detection.
For more information, see [Multiple alerts possibly related to Ransomware activity detected](fusion.md#fusion-for-ransomware).
790
-
791
-
### Watchlist templates for UEBA data (Public preview)
792
-
793
-
Azure Sentinel now provides built-in watchlist templates for UEBA data, which you can customize for your environment and use during investigations.
794
-
795
-
After UEBA watchlists are populated with data, you can correlate that data with analytics rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users, and more.
796
-
797
-
Watchlist templates currently include:
798
-
799
-
-**VIP Users**. A list of user accounts of employees that have high impact value in the organization.
800
-
-**Terminated Employees**. A list of user accounts of employees that have been, or are about to be, terminated.
801
-
-**Service Accounts**. A list of service accounts and their owners.
802
-
-**Identity Correlation**. A list of related user accounts that belong to the same person.
803
-
-**High Value Assets**. A list of devices, resources, or other assets that have critical value in the organization.
804
-
-**Network Mapping**. A list of IP subnets and their respective organizational contexts.
805
-
806
-
For more information, see [Create watchlists in Microsoft Sentinel](watchlists-create.md) and [Built-in watchlist schemas](watchlist-schemas.md).
The Azure Sentinel Information Model (ASIM) now supports a File Event normalization schema, which is used to describe file activity, such as creating, modifying, or deleting files or documents. File events are reported by operating systems, file storage systems such as Azure Files, and document management systems such as Microsoft SharePoint.
-[Data collection best practices](best-practices-data.md)
832
-
833
-
> [!TIP]
834
-
> You can find more guidance added across our documentation in relevant conceptual and how-to articles. For more information, see [Best practice references](best-practices.md#best-practice-references).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments