Microsoft Sentinel Related Alerts
This post builds upon your initial installation and provides a deeper understanding of each of the modules (log apps) that make up MSTAT. See the links below for earlier posts. You can also find all related posts by searching this blog. The Related Alerts module takes the incident entity data and determines if other alerts about those same entities exist in Microsoft Sentinel within a specified timeframe.
This module is part of our core modules to incorporate into your MSTAT implementation. This module serves as a correlation engine to bring to the analyst and the scoring system any related events based on common connections of the entities. Sometimes, the SIEM does not roll up incidents, so this is a secondary means of providing the capability.
Supported Entity Types
- Account
- Host
- IP Address
Module Trigger Parameters
| Parameter | Expected Values | Description |
|---|---|---|
| AddIncidentComments | True/False (Default:True) | When set to true, the results of the query will be added to the Sentinel Incident Comments |
| CheckAccountEntityMatches | True/False (Default:True) | When set to true, the module will look for related alerts based on the Account entity type |
| CheckHostEntityMatches | True/False (Default:True) | When set to true, the module will look for related alerts based on the Host entity type |
| CheckIPEntityMatches | True/False (Default:True) | When set to true, the module will look for related alerts based on the IP entity type |
| Base Module Body | Body (dynamic content) | The Body should be selected from the Dynamic content of the Base-Module response |
| LookbackInDays | 1-90 | This defines how far back to look through the SecurityAlert tables in Sentinel |
Module Return Properties
| Property | Description |
|---|---|
| AllTactics | An array of unique MITRE tactics including all tactics linked directly to the incident as well as any found in related alerts |
| AllTacticsCount | Count of unique MITRE tactics from AllTactics |
| DetailedResults | An array of each related alert that was found |
| HighestSeverityAlert | The severity of the highest severity alert found (High, Medium, Low or Informational) |
| ModuleName | The internal Name of the Playbook |
| RelatedAlertsCount | Number of related alerts found. This number may exceed the sum of other related alert counts as an alert may be related to more than one entity type. |
| RelatedAlertsFound | true/false indicating if related alerts were found |
| RelatedAccountAlertsCount | Number of alerts related to account entity found |
| RelatedAccountAlertsFound | true/false indicating if alerts related to account entity were found |
| RelatedHostAlertsCount | Number of alerts related to host entity found |
| RelatedHostAlertsFound | true/false indicating if alerts related to host entity were found |
| RelatedIPAlertsCount | Number of alerts related to ip entity found |
| RelatedIPAlertsFound | true/false indicating if alerts related to ip entity were found |
Scoring Related Alerts
When scoring the Related Alerts module consider the following default scores are assigned based on the Alert Severity:
| AlertSeverity | Score |
|---|---|
| High | 10 |
| Medium | 5 |
| Low | 3 |
| Informational | 1 |
Note: If ScorePerItem=True, the sum of all alert scores will be returned. If ScorePerItem=False, only the score of the highest severity alert will be returned.
Additionally, a score of 10 is added per unique MITRE tactic associated with the incident and any related alerts.
All right. Now, we’re making even more progress. Next time, we’ll talk about the Microsoft Defender For Endpoint module – a powerful tool for checking user’s device risk.
Check out our previous posts in this series.
Let’s automate your SOC – Introduction to automating your Microsoft Sentinel
Automate your SOC – Let’s talk about STAT, baby – Introduction and installation of Microsoft STAT Triage
Automate your SOC – Noise is the enemy of speed – How to optimize your incidents
Automate your SOC – Risky Business – Giving your incidents a risk score
Automate your SOC – Oh, that user again? Enrich your incident with by checking user’s Sign In Risk
You must log in to post a comment.