Microsoft SentinelIncident Management & Investigation

Incident Management & Investigation

20 mins

Understanding the Concept

Sentinel incidents are created when analytics rules fire. Each incident aggregates related alerts, entities, evidence, and bookmarks. The incident page shows timeline, entities, comments, and activity log for collaborative investigation.

Investigation graph provides visual exploration of entities and their relationships. Analysts can expand entities to discover connections, timelines, and related alerts. Bookmarks capture important hunting findings for inclusion in incidents.

Incident management features include assignment, status tracking (New, Active, Closed), severity adjustment, classification (True Positive, False Positive, Benign Positive), and tasks for structured investigation workflows.

Key Points

  • Incidents aggregate alerts, entities, evidence, and bookmarks
  • Investigation graph visualizes entity relationships
  • Incident status: New, Active, Closed
  • Classification: True Positive, False Positive, Benign Positive
  • Tasks enable structured investigation workflows
  • Comments and activity log for team collaboration

Why This Matters in Real Organizations

Structured incident management ensures threats are tracked from detection through resolution. Without it, incidents are investigated inconsistently, lose context during handoffs, and lack the audit trail needed for post-incident review.

Common Mistakes to Avoid

Not classifying incidents after resolution (needed for tuning)
Investigating everything manually instead of using investigation graph
Not adding tasks for repeatable investigation steps
Closing incidents without documenting findings in comments

Interview Tips

  • Walk through your incident investigation workflow in Sentinel
  • Discuss how you use the investigation graph for entity analysis

Exam Tips (SC-200)

  • Know incident lifecycle: creation, investigation, resolution
  • Understand investigation graph capabilities
  • Know classification options and their purpose

Course Complete!

You've finished all lessons

Previous|Next|HHome