Azure Sentinel Rare Occurrences Incidents Generated After Setup

One of the official Microsoft offerings I deliver to customers includes a Day 1 setup of Azure Sentinel – which then leads into a 3-day workshop. But, that Day 1 setup is important so we have the customer’s real data to work with the rest of the week and the customer has data to continue their learning and business integration after the workshop is complete.

One of the things that customers notice right away after setup and enabling a few Data Connectors is the number of Incidents created based on “rare” occurrences. An example is shown in the following image…

Incidents for Rare Occurrences

Think about it. The customer has setup Azure Sentinel for the very first time and enabled Data Connectors. It makes sense that there would be “rare” operations identified because it’s the first time ever these have been detected.

It’s critical to keep these specific Analytics Rules enabled because they represent important threats to keep track of and be alerted about – however, after setting up Azure Sentinel the first time, you may want to make some temporary adjustments as these will flatten out over time.

First off…make sure to identify the accounts and hostnames associated as Entities to the Incident to confirm the hosts and users are part of your organization. Once these have been confirmed, manage the Incident lifecycle by making a note, assigning the Incident to yourself (or whoever is applicable), and set the Status to “Closed – Benign Positive – suspicious but expected“.

Benign Positive

You may also want to adjust the Analytics Rules associated with these Incidents for the time being to help eliminate some noise.

The specific Analytics Rules are:

RuleConnector
Rare subscription-level operations in AzureAzure Activity
Rare application consentAzure Active Directory
Rare RDP ConnectionsSecurity Events
SharePointFileOperation via previously unseen IPsOffice 365
SharePointFileOperation via devices with previously unseen user agentsOffice 365
Rare Occurrence Analytics Rules

Consider adjusting the alert grouping for each to make them less noisy.

Modifying Alert Grouping

Author