Incident investigation is where security operations transforms raw alerts into actionable intelligence. Microsoft Sentinel provides powerful tools to help analysts efficiently triage, investigate, and resolve security incidents. This guide covers the complete investigation workflow from initial triage to case closure.
Prerequisites
Before investigating incidents, ensure you have:
- Microsoft Sentinel Responder role or higher
- Access to the Log Analytics workspace for running queries
- Understanding of your environment (normal vs. suspicious activity)
- Incident response playbook or documented procedures
- Knowledge of entity types and their relationships
Understanding the Incident Queue
Access the Incident Queue
- In Microsoft Sentinel, go to Threat management > Incidents
- The queue shows all open incidents sorted by severity and time
Incident Queue Columns
| Column | Description |
|---|---|
| Severity | High, Medium, Low, Informational |
| Title | Generated from analytics rule name |
| Status | New, Active, Closed |
| Owner | Assigned analyst |
| Alerts | Number of correlated alerts |
| Product names | Source systems that generated alerts |
| Last activity | Most recent alert or update time |
Filter and Sort Incidents
Use filters to focus your queue:
- Status: New (untriaged), Active (in progress)
- Severity: Start with High severity
- Owner: Unassigned incidents need attention
- Time range: Focus on recent incidents first
Step 1: Initial Triage
Triage determines whether an incident requires full investigation or can be quickly resolved.
Quick Triage Checklist
- Read the incident title and description - What was detected?
- Review the severity - Is this appropriate for the alert type?
- Check the entities - Who or what is affected?
- Look at alert count - Multiple alerts suggest confirmed activity
- Review timestamps - When did this occur? Is it ongoing?
Open the Incident
- Click on an incident to open the details panel
- Review the Overview tab for summary information
- Scan the Alerts section to understand what triggered the incident
Make an Initial Classification
| Classification | Action |
|---|---|
| Requires Investigation | Set status to Active, assign to analyst |
| Known False Positive | Close as False Positive, tune the rule |
| Informational | Review, add notes, close if expected |
| Duplicate | Link to existing incident, close as duplicate |
Step 2: Assign and Document
Assign the Incident
- Click Manage in the incident panel
- Under Owner, select yourself or appropriate analyst
- Set Status to Active
- Click Apply
Add Initial Comments
Document your initial assessment:
- Click Comments tab
- Add your triage notes:
- Initial observations
- Hypothesis about what occurred
- Investigation plan
- Click Save
Create Investigation Tasks
Use tasks to track investigation steps:
- Click Tasks tab
- Click Add task
- Create tasks for your investigation plan:
- "Review entity timeline"
- "Check for related alerts"
- "Investigate source IP"
- "Interview affected user"
- Check tasks off as you complete them
Step 3: Analyze Entities
Entities are the core of investigation - they represent the users, hosts, IPs, and other elements involved in the incident.
View Entity Details
- Click the Entities tab in the incident
- Select an entity to view its details
- Review the entity page for context
Entity Types and Key Information
| Entity Type | Key Data Points to Review |
|---|---|
| Account | Sign-in history, group memberships, recent activities |
| Host | Running processes, installed software, network connections |
| IP Address | Geolocation, threat intelligence, associated accounts |
| URL/Domain | Reputation, related alerts, access patterns |
| File | Hash reputation, execution history, prevalence |
Run Entity Queries
From the entity page, click View full details to access:
- Timeline: All activities involving this entity
- Insights: Automated analysis and anomalies
- Related alerts: Other incidents involving this entity
Investigation Graph
For visual analysis:
- Click Investigate button on the incident
- The investigation graph shows entity relationships
- Expand entities to see connections
- Look for patterns connecting multiple entities
Step 4: Reconstruct the Timeline
Understanding the sequence of events is critical for determining scope and impact.
Build a Timeline
- Go to Logs in Microsoft Sentinel
- Run timeline queries for involved entities:
// Account activity timeline
let TargetUser = "[email protected]";
union SigninLogs, AuditLogs, SecurityEvent, OfficeActivity
| where TimeGenerated > ago(24h)
| where UserPrincipalName == TargetUser or
Account contains TargetUser or
UserId == TargetUser
| project TimeGenerated, Type, Activity = coalesce(OperationName, Activity, EventID)
| order by TimeGenerated asc
// Host activity timeline
let TargetHost = "WORKSTATION01";
SecurityEvent
| where TimeGenerated > ago(24h)
| where Computer contains TargetHost
| where EventID in (4624, 4625, 4688, 4672, 4720, 4722, 4723, 4724, 4725, 4726)
| project TimeGenerated, EventID, Activity, Account, Computer
| order by TimeGenerated asc
Key Timeline Events to Find
| Event Type | Significance |
|---|---|
| Initial access | How did the attacker gain entry? |
| Credential use | Were credentials stolen or misused? |
| Lateral movement | Did the attacker move to other systems? |
| Data access | What data was accessed or exfiltrated? |
| Persistence | Did the attacker establish ongoing access? |
Step 5: Expand the Scope
Determine if the incident affects more than the initially detected entities.
Search for Related Activity
Run broad queries to find related events:
// Find all activity from suspicious IP
let SuspiciousIP = "192.168.1.100";
union *
| where TimeGenerated > ago(7d)
| where IPAddress == SuspiciousIP or
SourceIP == SuspiciousIP or
ClientIP == SuspiciousIP
| summarize EventCount = count() by Type
| order by EventCount desc
// Find similar attacks across environment
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 50126 // Same failure code
| summarize
Attempts = count(),
TargetUsers = dcount(UserPrincipalName)
by IPAddress
| where Attempts > 10
| order by Attempts desc
Check for Additional Compromised Accounts
// Accounts that signed in from the suspicious IP
SigninLogs
| where TimeGenerated > ago(7d)
| where IPAddress == "suspicious_ip_here"
| where ResultType == 0 // Successful
| distinct UserPrincipalName
Review Neighboring Alerts
- In the incident, check Related incidents
- Look for other incidents involving the same entities
- Consider merging related incidents for unified investigation
Step 6: Collect Evidence
Document findings for reporting and potential legal proceedings.
Bookmark Important Findings
- Run a query that shows relevant evidence
- Select the rows to bookmark
- Click Add bookmark
- Add tags and notes to the bookmark
- Bookmarks are preserved even if source logs age out
Export Query Results
- Run your evidence query
- Click Export > Export to CSV
- Save for your incident documentation
Take Screenshots
Capture visual evidence of:
- Investigation graph showing attack path
- Entity timelines
- Key log entries
- Dashboard views showing anomalies
Step 7: Determine Classification
Based on your investigation, classify the incident:
| Classification | Criteria | Next Steps |
|---|---|---|
| True Positive | Confirmed malicious activity | Escalate, remediate, document lessons learned |
| Benign Positive | Real activity, but expected/authorized | Document, consider rule tuning |
| False Positive | Detection error, no malicious activity | Close, tune analytics rule |
| True Negative | Correctly identified non-threat | N/A (no incident generated) |
Step 8: Close the Incident
Document Final Findings
- Add a comprehensive closing comment including:
- Summary of what occurred
- Root cause determination
- Scope of impact
- Actions taken
- Recommendations for prevention
Set Classification and Close
- Click Manage on the incident
- Set Classification:
- True Positive - Suspicious Activity
- Benign Positive - Confirmed Activity
- False Positive - Incorrect Data
- False Positive - Incorrect Analytics
- Undetermined
- Add Classification reason (required)
- Set Status to Closed
- Click Apply
Investigation Best Practices
| Practice | Benefit |
|---|---|
| Document as you go | Creates audit trail, helps handoffs |
| Use bookmarks liberally | Preserves evidence, aids reporting |
| Follow consistent methodology | Ensures thorough investigation |
| Collaborate with teammates | Brings diverse expertise |
| Time-box investigations | Prevents tunnel vision on single incident |
| Learn from every incident | Improves detection and response |
Common Investigation Pitfalls
| Pitfall | How to Avoid |
|---|---|
| Confirmation bias | Challenge your initial hypothesis |
| Incomplete scope | Always check for lateral movement |
| Rushed closure | Ensure root cause is determined |
| Missing documentation | Document findings throughout |
| Ignoring context | Consider business context and timing |
Incident Investigation Checklist
Use this checklist for consistent investigations:
- Triage: Reviewed severity, entities, and alert details
- Assigned: Incident assigned to analyst, status set to Active
- Documented: Initial hypothesis and investigation plan noted
- Entities: All entities analyzed and expanded
- Timeline: Complete sequence of events reconstructed
- Scope: Related activity and additional targets identified
- Evidence: Key findings bookmarked and exported
- Classification: True/False positive determination made
- Remediation: Necessary response actions completed or escalated
- Closure: Final documentation added, incident closed
Next Steps
After closing incidents:
- Review patterns - Look for recurring incident types
- Tune detection rules - Reduce false positives
- Update playbooks - Incorporate lessons learned
- Report metrics - Track MTTD, MTTR, and resolution rates
- Share knowledge - Brief the team on interesting cases
Additional Resources
Need help improving your incident response? Inventive HQ offers SOC optimization services, from playbook development to analyst training. Contact us to strengthen your security operations.