Incident Management & Investigation
Understanding the Concept
Sentinel incidents are created when analytics rules fire. Each incident aggregates related alerts, entities, evidence, and bookmarks. The incident page shows timeline, entities, comments, and activity log for collaborative investigation.
Investigation graph provides visual exploration of entities and their relationships. Analysts can expand entities to discover connections, timelines, and related alerts. Bookmarks capture important hunting findings for inclusion in incidents.
Incident management features include assignment, status tracking (New, Active, Closed), severity adjustment, classification (True Positive, False Positive, Benign Positive), and tasks for structured investigation workflows.
Key Points
- Incidents aggregate alerts, entities, evidence, and bookmarks
- Investigation graph visualizes entity relationships
- Incident status: New, Active, Closed
- Classification: True Positive, False Positive, Benign Positive
- Tasks enable structured investigation workflows
- Comments and activity log for team collaboration
Why This Matters in Real Organizations
Structured incident management ensures threats are tracked from detection through resolution. Without it, incidents are investigated inconsistently, lose context during handoffs, and lack the audit trail needed for post-incident review.
Common Mistakes to Avoid
Interview Tips
- Walk through your incident investigation workflow in Sentinel
- Discuss how you use the investigation graph for entity analysis
Exam Tips (SC-200)
- Know incident lifecycle: creation, investigation, resolution
- Understand investigation graph capabilities
- Know classification options and their purpose
Course Complete!
You've finished all lessons