Update SOC processes

A security operations center (SOC) is a centralized function within an organization that integrates people, processes, and technology. A SOC implements the organization's overall cybersecurity framework. The SOC collaborates the organizational efforts to monitor, alert, prevent, detect, analyze, and respond to cybersecurity incidents. SOC teams, led by a SOC manager, may include incident responders, SOC analysts at levels 1, 2, and 3, threat hunters, and incident response managers.

SOC teams use telemetry from across the organization's IT infrastructure, including networks, devices, applications, behaviors, appliances, and information stores. The teams then co-relate and analyze the data, to determine how to manage the data and which actions to take.

To successfully migrate to Microsoft Sentinel, you need to update not only the technology that the SOC uses, but also the SOC tasks and processes. This article describes how to update your SOC and analyst processes as part of your migration to Microsoft Sentinel.

Update analyst workflow

Microsoft Sentinel offers a range of tools that map to a typical analyst workflow, from incident assignment to closure. Analysts can flexibly use some or all of the available tools to triage and investigate incidents. As your organization migrates to Microsoft Sentinel, your analysts need to adapt to these new toolsets, features, and workflows.

Incidents in Microsoft Sentinel

In Microsoft Sentinel, an incident is a collection of alerts that Microsoft Sentinel determines have sufficient fidelity to trigger the incident. Hence, with Microsoft Sentinel, the analyst triages incidents in the Incidents page first, and then proceeds to analyze alerts, if a deeper dive is needed. Compare your SIEM's incident terminology and management areas with Microsoft Sentinel.

Analyst workflow stages

This table describes the key stages in the analyst workflow, and highlights the specific tools relevant to each activity in the workflow.

Assign Triage Investigate Respond
Assign incidents:
• Manually, in the Incidents page
• Automatically, using playbooks or automation rules
Triage incidents using:
• The incident details in the Incident page
• Entity information in the Incident page, under the Entities tab
• Jupyter Notebooks
Investigate incidents using:
• The investigation graph
• Microsoft Sentinel Workbooks
• The Log Analytics query window
Respond to incidents using:
• Playbooks and automation rules
• Microsoft Teams War Room

The next sections map both the terminology and analyst workflow to specific Microsoft Sentinel features.

Assign

Use the Microsoft Sentinel Incidents page to assign incidents. The Incidents page includes an incident preview, and a detailed view for single incidents.

Screenshot of Microsoft Sentinel Incidents page.

To assign an incident:

Screenshot of assigning an owner in the Incidents page.

Triage

To conduct a triage exercise in Microsoft Sentinel, you can start with various Microsoft Sentinel features, depending on your level of expertise and the nature of the incident under investigation. As a typical starting point, select View full details in the Incident page. You can now examine the alerts that comprise the incident, review bookmarks, select entities to drill down further into specific entities, or add comments.

Screenshot of viewing incident details in the Incidents page.

Here are suggested actions to continue your incident review:

  • Select Investigation for a visual representation of the relationships between the incidents and the relevant entities.
  • Use a Jupyter notebook to perform an in-depth triage exercise for a particular entity. You can use the Incident triage notebook for this exercise.

Screenshot of Incident triage notebook, including detailed steps in TOC.

Expedite triage

Use these features and capabilities to expedite triage:

  • For quick filtering, in the Incidents page, search for incidents associated to a specific entity. Filtering by entity in the Incidents page is faster than filtering by the entity column in legacy SIEM incident queues.
  • For faster triage, use the Alert details screen to include key incident information in the incident name and description, such as the related user name, IP address, or host. For example, an incident could be dynamically renamed to Ransomware activity detected in DC01, where DC01 is a critical asset, dynamically identified via the customizable alert properties.
  • For deeper analysis, in the Incidents page, select an incident and select Events under Evidence to view specific events that triggered the incident. The event data is visible as the output of the query associated with the analytics rule, rather than the raw event. The rule migration engineer can use this output to ensure that the analyst gets the correct data.
  • For detailed entity information, in the Incidents page, select an incident and select an entity name under Entities to view the entity's directory information, timeline, and insights. Learn how to map entities.
  • To link to relevant workbooks, select Incident preview. You can customize the workbook to display additional information about the incident, or associated entities and custom fields.

Investigate

Use the investigation graph to deeply investigate incidents. From the Incidents page, select an incident and select Investigate to view the investigation graph.

Screenshot of the investigation graph.

With the investigation graph, you can:

  • Understand the scope and identify the root cause of potential security threats by correlating relevant data with any involved entity.
  • Dive deeper into entities, and choose between different expansion options.
  • Easily see connections across different data sources by viewing relationships extracted automatically from the raw data.
  • Expand your investigation scope using built-in exploration queries to surface the full scope of a threat.
  • Use predefined exploration options to help you ask the right questions while investigating a threat.

From the investigation graph, you can also open workbooks to further support your investigation efforts. Microsoft Sentinel includes several workbook templates that you can customize to suit your specific use case.

Screenshot of a workbook opened from the investigation graph.

Respond

Use Microsoft Sentinel automated response capabilities to respond to complex threats and reduce alert fatigue. Microsoft Sentinel provides automated response using Logic Apps playbooks and automation rules.

Screenshot of Playbook templates tab in Automation blade.

Use one of the following options to access playbooks:

These sources include a wide range of security-oriented playbooks to cover a substantial portion of use cases of varying complexity. To streamline your work with playbooks, use the templates under Automation > Playbook templates. Templates allow you to easily deploy playbooks into the Microsoft Sentinel instance, and then modify the playbooks to suit your organization's needs.

See the SOC Process Framework to map your SOC process to Microsoft Sentinel capabilities.

Compare SIEM concepts

Use this table to compare the main concepts of your legacy SIEM to Microsoft Sentinel concepts.

ArcSight QRadar Splunk Microsoft Sentinel
Event Event Event Event
Correlation Event Correlation Event Notable Event Alert
Incident Offense Notable Event Incident
List of offenses Tags Incidents page
Labels Custom field in SOAR Tags Tags
Jupyter Notebooks Jupyter Notebooks Microsoft Sentinel notebooks
Dashboards Dashboards Dashboards Workbooks
Correlation rules Building blocks Correlation rules Analytics rules
Incident queue Offenses tab Incident review Incident page

Next steps

After migration, explore Microsoft's Microsoft Sentinel resources to expand your skills and get the most out of Microsoft Sentinel.

Also consider increasing your threat protection by using Microsoft Sentinel alongside Microsoft Defender XDR and Microsoft Defender for Cloud for integrated threat protection. Benefit from the breadth of visibility that Microsoft Sentinel delivers, while diving deeper into detailed threat analysis.

For more information, see: