How to Manage Microsoft Sentinel Incidents | Tutorial to Manage Microsoft Sentinel Incidents @prohut #azure
How to change Severity of Microsoft Sentinel Incidents
How to assign Incidents in Microsoft Sentinel
In this video, we'll learn about the management of incidents in Microsoft Sentinel.
For the same, let's go to Microsoft Sentinel and click on the Sentinel that we have created.
Let's hide this one now before we go to the incidents. Let's click on overview to get the detail of all the incidents.
In the overview tab, we can see detailed information about the total number of incidents, the total number of active incidents, and the close incidents. So, at this point of time, we can see that we have 191 total incidents created. And if we scroll down, we can see the data connectors and we can also see the data that we have received. We can also see the analytics rule that we have created.
Now let's go to incidents. Now we can see that in total we have 191 new incidents and open incidents. So let's see that how we can manage these incidents in Microsoft Sentinel.
To manage the incidents, let's click on any of these incidents to have detailed information about the incident. So here we can see that this incident is not assigned, it is showing as unassigned. If I click on the dropdown, we can see the option if we wanted to assign this incident to any user. So let's assign this incident to user tu03 and click on apply. Now this is the new incident that we have. So here when we click on the dropdown, we can see an option to active and close. We wanted to change the status of this incident we can do the same. Let's click on cancel.
We are now doing at this point of time when we click on this severity we can change the severity. So let's change the severity to high for this incident and click on apply. Now what we have done is we have assigned this incident to tu03 user. Let's even change the status to active, click on apply. So now this incident is assigned to user tu03 which means that when tu03 will log in and go to Microsoft Sentinel, user will see that this incident is assigned to the user. So as for your environment or as per your requirement, you can assign the incidents to the users who are supposed to manage those incidents.
Now if you scroll down, we can see detailed information like when exactly it was updated, when AC creation time, and we can see the rule name also and we can also add the comments. So maybe let's try adding some comment, this is critical event, please check. Okay now we have added the comment and by clicking on view full details we can see the full detail of this incident. So here we can see the full detail of the incident.
By clicking on view full details we can see the full detail of this incident. So here we can see the full detail of the incident right. We can scroll down we can see that this is the last comment that we have added. We can also assign the tag to the instant and now let's close this.
And now for tu03 user to manage the incidence we need to grant them the required access for that. Let's open Azure subscription in new tab. So let me open new tab go to subscriptions click on the subscription that we have. Let's hide this click on access control click on ADD click on ADD role assignment here let's search for the role Microsoft Sentinel.
So out here we have multiple different rules for this lab purpose we will only be talking about the Microsoft Sentinel responder role for rest of the roles we cannot talk about them in the future video. Let's click on Microsoft Sentinel responder click on next now click on select member we wanted to assign this role to tu03 user so let's select tu03 click on select click on next click on review and assign
10 сен 2024
