Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SOC

What’s new: SOC operational metrics now available in Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
November 27, 2020
in SOC, Uncategorized
0
What’s new: Microsoft Teams connector in Public Preview
5.8kViews
739 Shares Share on Facebook Share on Twitter

This instalment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The instalments will be bite-sized to enable you to easily digest the new content.

Azure Sentinel incident data is now available in your Log Analytics workspace! You can use this data to report on metrics within your Security Operations Center. Typical SOC metrics include incidents created over time, mean time to triage, mean time to closure, etc. With the new SecurityIncident table now available in Log Analytics you will be able to run queries to get the metrics that are operationally important for your SOC. In addition, we’ve added the Security Operational Efficiency workbook into your templates so you have a pre-built SOC metrics workbook out-of-the-box for you to use. We also have an accompanying video for this blog that can be accessed here.

How do I use the new SecurityIncident table?

It’s easy: the SecurityIncident table will have been automatically created in your Log Analytics workspace when you have Azure Sentinel set up over said workspace. You can see the SecurityIncident table if you go to the Log Analytics blade:

You can query this table as you normally would query any other table using KQL.

Log entries in the SecurityIncident table

Every time you update an incident, a new log entry will be added to the SecurityIncident table. This allows for querying the changes made to incidents and allows for even more powerful SOC metrics, but you need to be mindful of this when constructing queries for this table as you may need to remove duplicate entries for an incident (dependent on the exact query you are running).

For example, if you wanted to return a list of all incidents sorted by their incident number but only wanted to return the most recent log per incident, you could do this using the arg_max KQL operator*:

List incidents by incident number

SecurityIncident
| summarize arg_max(LastModifiedTime, *) by IncidentNumber

*For more information on the arg_max and other KQL aggregation functions, please see here. 

Another couple of query examples using this table are below:

Mean time to closure

SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend TimeToClosure =  (ClosedTime - CreatedTime)/1h
| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99)

Mean time to acknowledge

SecurityIncident
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| extend TimeToTriage =  (FirstModifiedTime - CreatedTime)/1h
| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99)

Security Operational Efficiency workbook

To complement the SecurityIncidents table, we’ve provided you an out-of-the-box security operational efficiency workbook template that you can use to monitor your SOC operations. The workbook contains the following metrics: 

  • Incidents created over time 
  • Incidents created by closing classification, severity, owner and status 
  • Mean time to triage 
  • Mean time to closure 
  • Incidents created by severity, owner, status, product and tactics over time 
  • Time to triage percentiles 
  • Time to closure percentiles 
  • Mean time to triage per owner 
  • Recent activities 
  • Recent closing classifications  

You can find this new workbook template by navigating to the “Workbooks” blade in Azure Sentinel and selecting the “Templates” tab.

We will be releasing additional workbooks that use the information found within the SecurityIncidents table in the near future, so watch this space!

Get started today!

We encourage you to use the new SecurityIncident table to get stats for your SOC and how incidents are being handled. If you make some interesting workbooks, please share them here on our GitHub repo with the community. Try it out and let us know what you think!

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-soc-operational-metrics-now-available-in-azure/ba-p/1439002

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Evolve the SOC with Azure Sentinel: Hunting Queries

January 5, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Grant Access to Specific Azure Sentinel Playbooks for Specific Analysts

December 31, 2020
Enriching Windows Security Events with Parameterized Function
SOC

New Private Preview Tag in Azure Sentinel

December 30, 2020
Next Post
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

What's new: Azure Sentinel and Microsoft Defender ATP improved alert integration

What’s new: Microsoft Teams connector in Public Preview

Announcing the Azure Sentinel Hackathon winners

Introducing the Microsoft Azure Modular Datacenter

What's New: Incident Auto-refresh hits GA!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft says CyberX acquisition will boost Azure IoT security

Microsoft says CyberX acquisition will boost Azure IoT security

4 months ago
Microsoft Ignites 2020 With New Services And Tools For Business Resiliency

Microsoft Ignites 2020 With New Services And Tools For Business Resiliency

3 months ago
Microsoft improves Azure’s security to protect your business

Creating digital tripwires with custom threat intelligence feeds for Azure Sentinel

3 months ago
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

What’s new: Monitoring your Logic Apps Playbooks in Azure Sentinel

2 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Trending

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Weekly Newsletter

by Azure Sentinel News Editor
March 1, 2021
0

I’ve sensed this for a while now, but a few days ago it really hit me —...

What’s new: Microsoft Teams connector in Public Preview

How to Generate Azure Sentinel Incidents for Testing

February 26, 2021
What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Azure Sentinel Weekly Newsletter March 1, 2021
  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News