This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good handle on the ins-and-outs of working with Azure Sentinel. I won’t dig deep into those here, but instead give an overview for this specific daily task.
For customers that want deeper dives for Azure Sentinel, you have a few options:
In fact, this particular blog series is being developed into a workshop on its own and will also cover the additional, deeper knowledge for taking next steps.
Identify any newly released (or newly available due to recently connected Data Connectors) Analytics Rules. Enable those that are applicable.
To do this, dig into the Data Connector properties and identify any Analytics Rules that haven’t been enabled. As shown in the image, those that are enabled will show an “In Use” indicator. Those that need to be reassessed to enable.
(click on each image for a larger view)
When new Analytics Rules are enabled, it’s a good time to review your Playbooks and potentially assign automation to a newly enabled Analytics Rule. Remember, that applying automation needs to be methodical, well thought through, and logical. You’d hate to lock your CEO out their user account for doing something out of the ordinary but still valid.
When new Analytics Rules are found and enabled, make sure to take a careful approach and adjust scheduling and thresholds for what makes the best sense for your environment.
Additionally, based on the new Analytics Rules, you may need to either create new Playbooks or adjust any existing ones to provide appropriate automation.
Again, for customers that want deeper dives for Azure Sentinel, either sift through our docs platform or contact your TAM and ask about our Azure Sentinel workshop/POC.