L11. Sentinel Incidents: Investigation and Evidence

Sentinel Incidents vs Defender XDR Incidents

When Sentinel is connected to the Defender portal, incidents from both systems appear in a unified queue. Key differences:

When the Defender XDR connector is active, Defender incidents sync bi-directionally with Sentinel.

Incident Lifecycle

1. New: Incident created by analytics rule or connector
2. Active: Analyst is investigating
3. Closed: Investigation complete (classification: True Positive, Benign Positive, False Positive, Undetermined)

Incident properties include severity, owner, status, tags, and a description/comments field for analyst notes.

The Investigation Graph

The investigation graph provides a visual map of an incident. Starting from the incident's alerts, it shows:

• Entities involved (users, hosts, IPs, files, mailboxes)
• Relationships between entities
• Related alerts from other incidents
• Timeline of activities

Clicking an entity in the graph opens its entity page. Expanding an entity reveals its connections: which hosts a user logged into, which IPs connected to a host, which files were executed. Exam tip: The investigation graph is the primary tool for understanding the scope of an incident. Use "Expand" on entities to discover additional related activity.

Entity Pages

Each entity type has a dedicated page aggregating information across all data sources: User entity page:

• Entra ID profile information
• Sign-in activity and anomalies
• Group memberships
• Alerts and incidents involving this user
• UEBA insights (if enabled)
• Lateral movement paths (if Defender for Identity connected)

Host entity page:

• Device information and installed agents
• Security events and alerts
• Logon activity
• Process execution history
• Network connections

Bookmarks

Bookmarks save specific query results as investigation evidence. When hunting or running ad-hoc queries, analysts can:

1. Run a KQL query
2. Select interesting rows in the results
3. Add them as a bookmark with notes
4. Attach the bookmark to an existing incident

Bookmarks preserve the exact data at the time of the query, creating a forensic record even if the underlying data changes or ages out of retention. Exam tip: Bookmarks are used to save hunting query results as evidence. They can be attached to incidents and are visible in the investigation graph.

Tasks

Incident tasks let SOC leads define investigation checklists. A task list can include steps like:

• Verify the affected user's recent activity
• Check if the source IP appears in threat intelligence
• Determine the blast radius
• Contact the user for confirmation

Tasks can be added manually or automatically through automation rules.

Comments and Activity Log

Every incident has a comments section where analysts document their findings and decisions. The activity log tracks all changes: status updates, severity changes, owner assignments, and automation rule executions.

Closing Incidents

When closing an incident, analysts must select a classification:

• True Positive: Suspicious activity: Confirmed malicious activity
• Benign Positive: Suspicious but expected: Legitimate activity that triggered the rule (e.g., security scan)
• False Positive: Incorrect alert logic: The rule needs tuning
• Undetermined: Insufficient evidence to classify

This classification data feeds into analytics rule tuning and SOC metrics.