Automate your SOC – Is there anything else going on?

Microsoft Sentinel Related Alerts

This post builds upon your initial installation and provides a deeper understanding of each of the modules (log apps) that make up MSTAT. See the links below for earlier posts. You can also find all related posts by searching this blog. The Related Alerts module takes the incident entity data and determines if other alerts about those same entities exist in Microsoft Sentinel within a specified timeframe.

This module is part of our core modules to incorporate into your MSTAT implementation. This module serves as a correlation engine to bring to the analyst and the scoring system any related events based on common connections of the entities. Sometimes, the SIEM does not roll up incidents, so this is a secondary means of providing the capability.

Supported Entity Types

  • Account
  • Host
  • IP Address

Module Trigger Parameters

ParameterExpected ValuesDescription
AddIncidentCommentsTrue/False (Default:True)When set to true, the results of the query will be added to the Sentinel Incident Comments
CheckAccountEntityMatchesTrue/False (Default:True)When set to true, the module will look for related alerts based on the Account entity type
CheckHostEntityMatchesTrue/False (Default:True)When set to true, the module will look for related alerts based on the Host entity type
CheckIPEntityMatchesTrue/False (Default:True)When set to true, the module will look for related alerts based on the IP entity type
Base Module BodyBody (dynamic content)The Body should be selected from the Dynamic content of the Base-Module response
LookbackInDays1-90This defines how far back to look through the SecurityAlert tables in Sentinel

Module Return Properties

AllTacticsAn array of unique MITRE tactics including all tactics linked directly to the incident as well as any found in related alerts
AllTacticsCountCount of unique MITRE tactics from AllTactics
DetailedResultsAn array of each related alert that was found
HighestSeverityAlertThe severity of the highest severity alert found (High, Medium, Low or Informational)
ModuleNameThe internal Name of the Playbook
RelatedAlertsCountNumber of related alerts found. This number may exceed the sum of other related alert counts as an alert may be related to more than one entity type.
RelatedAlertsFoundtrue/false indicating if related alerts were found
RelatedAccountAlertsCountNumber of alerts related to account entity found
RelatedAccountAlertsFoundtrue/false indicating if alerts related to account entity were found
RelatedHostAlertsCountNumber of alerts related to host entity found
RelatedHostAlertsFoundtrue/false indicating if alerts related to host entity were found
RelatedIPAlertsCountNumber of alerts related to ip entity found
RelatedIPAlertsFoundtrue/false indicating if alerts related to ip entity were found

Scoring Related Alerts

When scoring the Related Alerts module consider the following default scores are assigned based on the Alert Severity:


Note: If ScorePerItem=True, the sum of all alert scores will be returned. If ScorePerItem=False, only the score of the highest severity alert will be returned.

Additionally, a score of 10 is added per unique MITRE tactic associated with the incident and any related alerts.

All right. Now, we’re making even more progress. Next time, we’ll talk about the Microsoft Defender For Endpoint module – a powerful tool for checking user’s device risk.

Check out our previous posts in this series.

Let’s automate your SOC – Introduction to automating your Microsoft Sentinel

Automate your SOC – Let’s talk about STAT, baby – Introduction and installation of Microsoft STAT Triage

Automate your SOC – Noise is the enemy of speed – How to optimize your incidents

Automate your SOC – Risky Business – Giving your incidents a risk score

Automate your SOC – Oh, that user again? Enrich your incident with by checking user’s Sign In Risk