There is a question in the community asking about alert field in Incident page, along with the question about what it meant.
In this article, let’s talk about that and see how to distinguish between alert generated from Azure Sentinel versus one from Azure Security Center.
Before you can follow this article, you should check the following articles to generate an alert as well as to feed Azure Security Center alert to Azure Sentinel incident page:
How is alert generated?
Alert is generated when the result of the detection rule meets the rule threshold condition. For example you would like to generate an alert when there are more than 5 failure authentication attempts from a single source of IP address within 10 minutes. Another one would be to generate an alert if a sign-in comes from non-trusted location at non-working hour. In Azure Sentinel, there are two types of rule:
- Scheduled query rule
- Microsoft incident creation rule
Scheduled analytics rule allows you to write a rule and set rule logic. Rule is written in format of Kusto Query Language. Rule logic allows you to set frequency as well as data lookup period. The important value in rule logic is Alert threshold. It is the threshold that Azure Sentinel is based on in order to generate an alert. For example when building a failure authentication attempt and set the value is greater than 1. At the time the query executes if the result is greater than 1 (including 1) Azure Sentinel will create an alert as well as to create an incident that is seen in Incident page.
Where are alerts stored?
It is not difficult to figure out where alerts are store no matter what source they come from. As of this article, all alerts are stored in SecurityAlert table in the Log Analytics workspace that Azure Sentinel is associated with. To list all alerts that are not come from Azure Sentinel scheduled query rule, you can run the following query:
| where ProductName != "Azure Sentinel"
To list all alerts that are generated from Azure Sentinel scheduled query rule, run the following query:
By checking the result we can come to the conclusion that all alerts are stored in SecurityAlert table and the way to distinguish is to check ProductName. You can filter ProviderName if you want to get alerts from Azure Sentinel by adding | where ProviderName == "ASI Scheduled Alerts"
How are they different?
The main difference you can notice is the ExtendedProperty. In Azure Sentinel scheduled query rule you can see rule details including query rule, rule logic and rule threshold. In Microsoft incident creation rule, the detection rule may not be visible. It would depends on product name – with Azure Security Center the rule is a black-box one.
When is an incident generated?
When an alert is generated then an incident is generated and can be seen in Azure Sentinel Incident page. The diagram below would give you high-level flow of an incident creation.
Can an incident be created without an alert? The answer is Yes. Here is an approach to generate an incident without alert or detection rule https://azsec.azurewebsites.net/2020/01/06/create-a-fully-customized-azure-sentinel-incident/
Can an alert generated but no incident? The answer is No. Incident is always generated when an alert is generated. That is just the concept. An incident can be marked as false positive case and be closed if you think the alert shouldn’t of generated an incident.
Can multiple alerts generate one incident?
As of this article, the only rule that can generate an incident from multiple alerts is called Advanced Multistage Attack Detection which uses something called Fusion. This rule is a combination of multiple rules in order to detect a attack chain in AAD identity and Office 365. For example an attacker may compromise a user identity and then exfiltrate email or data out. In this cases there are two detection rules.
For detail in what rules are included, check this article https://docs.microsoft.com/en-us/azure/sentinel/fusion
Beyond this rule, it is not possible to build the same model for custom query rule.