Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 5 Incidents

Roy Kim on Azure, Office 365 and SharePoint

The previous blog post part 4, I have shown how to create Analytics rules that alert for SQL Injection attacks.

I will show the incidents that are generated from this rule to do further investigation. Your organization may have a cyber security team that will monitor, analyze and investigate incidents to evaluate threats. Incidents investigation and having the workflow to manage the lifecycle is one of the essential capabilities of a Security Incident Event Management (SIEM) system. As part of an investigation, it is assigned to an appropriate subject matter expert. And then determine the next steps, such as disregard due to a false-positive, contain the threat, quarantine, block the source of threat, document in knowledge base or more.

In the incidents blade, you can see a list of incidents generated by the analytics rule I have created.