![]() ![]() ![]() Thanks for your help!įalse Positive – inaccurate data = Choose this classification when you believe any of the data contained in the Incident is wrong. Make sure to be precise in the commenting. If its one of ours, you can adjust it, but know that the original rule template will be vetted and potentially adjusted. If it’s an Analytics Rule you created, make sure to adjust the rule to fix it. Next time, you’ll only be alerted to non-trusted accounts.įalse Positive – incorrect alert logic = Choose this classification when you believe the logic behind the Analytics Rule is wrong. This gives you the opportunity to add that trusted individual to a Watchlist so that this specific person is not captured in any future dragnet. But, as part of the investigation you determine it was a valid change management operation and accomplished by a trusted individual. As a security team, its something you want to know about. A good example of this is when someone adds a device to an NSG with elevated access. True Positive – suspicious activity = Choose this classification when you’ve performed a complete investigation that resulted in an actual security issue and the culprit was identified and the situation was truly remediated.īenign Positive – suspicious but expected = Choose this classification if the event is something you still want to be notified about in the future, but the individual (user account) who did it, or the hostname or IP address used, was expected. ![]() Don’t underestimate your value and your place in this process! Just the simple act of doing this and doing it correctly, you are massively improving the accuracy and intelligence of the product. By using the Closed classifications, selecting the correct ones, and providing proper commenting feedback, you are not just helping yourself, but you’re helping all Azure Sentinel customers. By selecting the appropriate classification, you are helping the product team which, in turn, helps you because it makes Azure Sentinel better.Īnd, can I take a brief moment here? THIS IS IMPORTANT. With this in mind, selecting classifications and the definitions behind each classification makes more sense – particularly the false positive selections. In the future, there may also be additional functionality for Incident confidence and rule tuning suggestions, among other things. The classification is used to limit false positives as much possible. The first thing to understand is that when you assign the appropriate classification, the data is used by the product team to improve the out of the box (OOTB) detections. Before digging into the definitions and recommendations for each classification, its important to understand the reasoning behind each classification. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |