Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 5 Incidents

Roy Kim on Azure, Office 365 and SharePoint

The previous blog post part 4, I have shown how to create Analytics rules that alert for SQL Injection attacks.

I will show the incidents that are generated from this rule to do further investigation. Your organization may have a cyber security team that will monitor, analyze and investigate incidents to evaluate threats. Incidents investigation and having the workflow to manage the lifecycle is one of the essential capabilities of a Security Incident Event Management (SIEM) system. As part of an investigation, it is assigned to an appropriate subject matter expert. And then determine the next steps, such as disregard due to a false-positive, contain the threat, quarantine, block the source of threat, document in knowledge base or more.

In the incidents blade, you can see a list of incidents generated by the analytics rule I have created.

  1. The incident item with an autogenerated incident ID. In this…

View original post 376 more words

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.