You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/whats-new.md
+19-18Lines changed: 19 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -126,50 +126,51 @@ A [new version of the Microsoft Sentinel Logstash plugin](connect-logstash-data-
126
126
127
127
### New behavior for alert grouping in analytics rules
128
128
129
-
As of **February 2, 2023**, Microsoft is changing the way that incidents are created from analytics rules with certain event and alert grouping settings, and also the way that such incidents are updated by automation rules.
129
+
As of **February 2, 2023**, Microsoft Sentinel is changing the way that incidents are created from analytics rules with certain event and alert grouping settings, and also the way that such incidents are updated by automation rules. This change is being made in order to produce incidents with more complete information and to simplify automation triggered by the creating and updating of incidents.
130
130
131
131
The affected analytics rules are those with both of the following two settings:
132
132
-**Event grouping** is set to **Trigger an alert for each event** (sometimes referred to as "alert per row" or "alert per result").
133
133
-**Alert grouping** is enabled, in any one of the [three possible configurations](detect-threats-custom.md#alert-grouping).
134
134
135
135
#### The problem
136
136
137
-
Rules with these two settings generate unique alerts for each event (result) returned by the query. These alerts are then all grouped together into a single incidents or a small number of incidents (depending on the alert grouping configuration choice).
137
+
Rules with these two settings generate unique alerts for each event (result) returned by the query. These alerts are then all grouped together into a single incident (or a small number of incidents, depending on the alert grouping configuration choice).
138
138
139
-
The problem is that the incidents are created as soon as the first alert is generated, so at that point they contain only the first alert. The remaining alerts are joined to the incident one after the other as they are generated. So you end up with a single running of an analytics rule resulting in:
139
+
The problem is that the incident is created as soon as the first alert is generated, so at that point the incident contains only the first alert. The remaining alerts are joined to the incident, one after the other, as they are generated. So you end up with a *single running of an analytics rule* resulting in:
140
140
- One incident creation event *and*
141
141
- Up to 149 incident update events
142
142
143
143
These circumstances result in unpredictable behavior when evaluating the conditions defined in automation rules or populating the incident schema in playbooks:
144
144
145
-
-Automation rules on this incident will run immediately on its creation, even with just the one alert included. So the automation rule will only consider the incident's status as containing the first alert, even though alerts will continue being added while the automation rule is running. So you end up with a situation where the automation rule's evaluation of the incident is incomplete and likely incorrect.
145
+
-**Incorrect evaluation of an incident's conditions by automation rules:**
146
146
147
-
- Entities in later alerts being left out of the incident.
147
+
Automation rules on this incident will run immediately on its creation, even with just the one alert included. So the automation rule will only consider the incident's status as containing the first alert, even though other alerts are being created nearly simultaneously (by the same running of the analytics rule) and will continue being added while the automation rule is running. So you end up with a situation where the automation rule's evaluation of the incident is incomplete and likely incorrect.
148
+
149
+
If there are automation rules defined to run when the incident is *updated*, they will run again and again as each subsequent alert is added to the incident (even though the alerts were all generated by the same running of the analytics rule). So you'll have alerts being added and automation rules running, each time possibly incorrectly evaluating the conditions of the incident.
148
150
149
151
Automation rules' conditions might ignore entities that only later become part of the incident but weren't included in the first alert/creation of the incident.
150
152
151
-
- Because of the previous behavior, Playbooks may only consider the details of the first alert in an incident, but not those from subsequent alerts.
153
+
In these cases, incorrect evaluation of an incident's condition may cause automation rules to run when they shouldn't, or not to run when they should. The result of this would be that the wrong actions would be taken on an incident, or that the right actions would not be taken.
152
154
153
-
#### The solution
155
+
-**Information in later alerts being ignored when playbooks are run on the incident:**
154
156
155
-
The following table describes the change in the incident creation and automation behaviors:
157
+
When an automation rule calls a playbook, it passes the incident's detailed information to the playbook. Because of the behavior mentioned above, a playbook might only receive the details (entities, custom details, and so on) of the first alert in an incident, but not those from subsequent alerts. This means that the playbook's actions would not have access to all the information in the incident.
156
158
157
-
| When incident created/updated with multiple alerts | Before the change | After the change |
158
-
| -- | -- | -- |
159
-
|**Automation rule** conditions (trigger: when an incident is created/updated) will be evaluated based on... | The first alert of the incident only. This causes unexpected behavior ('race condition') when evaluating automation rules conditions. | after all alerts and entities, triggered by this rule execution and grouped to this incident, have been added, with the most recent incident properties (such as severity and tactics). |
160
-
|**Playbook input** (Microsoft Sentinel incident trigger) | Alerts list contains only the first alert of the incident | Alerts list contains all the alerts triggered by this rule execution and grouped to this incident |
161
-
|**SecurityIncident** table in Log Analytics shows... | - One row for *incident created* with one alert.<br>- Multiple events of *alert added*. | One row for *incident created* only after all alerts triggered by this rule execution have been added and grouped to this incident. |
159
+
#### The solution
162
160
161
+
Going forward, instead of creating the incident as soon as the first alert is generated, Microsoft Sentinel will wait until a single running of an analytics rule has generated all of its alerts, and then create the incident, adding all the alerts to it at once. So instead of an incident creation event and a whole bunch of incident update events, you have only the incident creation event.
163
162
164
-
#### How to prepare for this change?
163
+
Now, automation rules that run on the creation of an incident can evaluate the complete incident with all of its alerts (as well as entities and custom details) and its most updated properties, and any playbooks that run will similarly have the complete details of the incident.
165
164
166
-
- Check whether you have automation rules with **When incident is created** or **When incident is updated** which are set to run on analytics rule with the configuration above.
167
165
168
-
These automation rules' conditions will now be evaluated based on the incident after all alerts, triggered by this rule execution and grouped to this incident, and their entities have been added, with the most recent incident properties.
169
166
170
-
- If these automation rules also trigger playbooks, and these playbooks work on the incident alerts or entities, they may now get more alerts and entities than they used to.
167
+
The following table describes the change in the incident creation and automation behaviors:
171
168
172
-
- If you have any scripts or pre-defined queries running based on the *SecurityIncident* table, please note that for these analytics rules, the way rows are added to the table will be different (One row for incident created after all alerts have been added).
169
+
| When incident created/updated with multiple alerts | Before the change | After the change |
170
+
| -- | -- | -- |
171
+
|**Automation rule** conditions are evaluated based on... | The first alert generated by the current running of the analytics rule. | All alerts and entities resulting from the current running of the analytics rule. |
172
+
|**Playbook input** includes... | - Alerts list containing only the first alert of the incident.<br>- Entities list containing only entities from the first alert of the incident. | - Alerts list containing all the alerts triggered by this rule execution and grouped to this incident.<br>- Entities list containing the entities from all the alerts triggered by this rule execution and grouped to this incident. |
173
+
|**SecurityIncident** table in Log Analytics shows... | - One row for *incident created* with one alert.<br>- Multiple events of *alert added*. | One row for *incident created* only after all alerts triggered by this rule execution have been added and grouped to this incident. |
173
174
174
175
### Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)
0 commit comments