4: Incidents Flashcards
(13 cards)
What is an incident in Microsoft Sentinel?
A group of related alerts bundled together to tell a broader attack story.
Where do you view incidents?
Microsoft Sentinel > [Workspace] > Incidents
What information does an incident contain?
Associated alerts, entities, severity, investigation timeline, graph view, status, assignment, and comments.
What is the purpose of grouping alerts into incidents?
It reduces alert fatigue by showing a coherent view of related activity instead of flooding analysts with noise.
What is the investigation graph?
A visual map of alerts and entities in an incident that helps analysts understand the scope and progression of the attack.
Can I manually create or assign incidents?
Yes. You can manually create, assign, tag, and manage incidents in Sentinel.
What can you do from the incident pane?
Review alerts, view timelines, launch automation, comment, assign, and change incident status.
Why should customers care about incidents?
Incidents give analysts a streamlined, contextual view of what’s happening, enabling faster triage and investigation.
What’s the difference between an alert and an incident?
An alert is one signal firing; an incident groups multiple related alerts into a single investigation case.
Can automation be triggered from incidents?
Yes. Playbooks can be launched manually or automatically from incident triggers.
What entities are typically shown in an incident?
Users, hosts, IP addresses, mailboxes, apps—any object tied to the alerts in the incident.
What are the benefits of the timeline view in incidents?
It shows the chronological order of alerts and helps analysts reconstruct the sequence of attacker behavior.
What’s the benefit of assigning incidents to users?
It supports workflow and accountability in the SOC—ensures every incident is being tracked and resolved.
