Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Incident Response

Azure Sentinel Rare Occurrences Incidents Generated After Setup

Azure Sentinel News Editor by Azure Sentinel News Editor
December 30, 2020
in Incident Response
0
Wipro launches advanced cloud SOC services using Microsoft Azure Sentinel
2.1kViews
895 Shares Share on Facebook Share on Twitter

One of the official Microsoft offerings I deliver to customers includes a Day 1 setup of Azure Sentinel – which then leads into a 3-day workshop. But, that Day 1 setup is important so we have the customer’s real data to work with the rest of the week and the customer has data to continue their learning and business integration after the workshop is complete.

One of the things that customers notice right away after setup and enabling a few Data Connectors is the number of Incidents created based on “rare” occurrences. An example is shown in the following image…

Incidents for Rare Occurrences

Think about it. The customer has setup Azure Sentinel for the very first time and enabled Data Connectors. It makes sense that there would be “rare” operations identified because it’s the first time ever these have been detected.

It’s critical to keep these specific Analytics Rules enabled because they represent important threats to keep track of and be alerted about – however, after setting up Azure Sentinel the first time, you may want to make some temporary adjustments as these will flatten out over time.

First off…make sure to identify the accounts and hostnames associated as Entities to the Incident to confirm the hosts and users are part of your organization. Once these have been confirmed, manage the Incident lifecycle by making a note, assigning the Incident to yourself (or whoever is applicable), and set the Status to “Closed – Benign Positive – suspicious but expected“.

Benign Positive

You may also want to adjust the Analytics Rules associated with these Incidents for the time being to help eliminate some noise.

The specific Analytics Rules are:

RuleConnector
Rare subscription-level operations in AzureAzure Activity
Rare application consentAzure Active Directory
Rare RDP ConnectionsSecurity Events
SharePointFileOperation via previously unseen IPsOffice 365
SharePointFileOperation via devices with previously unseen user agentsOffice 365

Rare Occurrence Analytics Rules

Consider adjusting the alert grouping for each to make them less noisy.


Modifying Alert Grouping

Reference: https://azurecloudai.blog/2020/07/09/azure-sentinel-rare-occurrences-incidents-generated-after-setup/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
Incident Response

Adding MBAM/Bitlocker Logs to Azure Sentinel

December 30, 2020
Introducing the Microsoft Azure Modular Datacenter
Incident Response

Azure Sentinel: Sending an Email Each Morning with the List of Daily Incidents Created

December 29, 2020
RiskIQ Joins Microsoft Intelligent Security Association
Incident Response

How to Add Geographical Data for IP Addresses to an Azure Sentinel Incident

December 28, 2020
Next Post
Enriching Windows Security Events with Parameterized Function

New Private Preview Tag in Azure Sentinel

ForgeRock integrates with Microsoft, Auth0 launches marketplace to secure enterprise digital identity

Shortcut Way to Enable Azure Sentinel Analytics Rules

Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

Sharing Workbook Data Outside Azure Sentinel with Non-analysts

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace

3 months ago
What’s new: Microsoft Teams connector in Public Preview

How to Make Your Azure Sentinel Workbooks Even More Interactive with Drilldowns and Downloads

2 months ago
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings

How to Get Splunk Data into Azure Sentinel

2 months ago
Microsoft Ignites 2020 With New Services And Tools For Business Resiliency

Microsoft Ignites 2020 With New Services And Tools For Business Resiliency

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Trending

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Weekly Newsletter

by Azure Sentinel News Editor
March 1, 2021
0

I’ve sensed this for a while now, but a few days ago it really hit me —...

What’s new: Microsoft Teams connector in Public Preview

How to Generate Azure Sentinel Incidents for Testing

February 26, 2021
What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Azure Sentinel Weekly Newsletter March 1, 2021
  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News