Редагувати

Поділитися через


Work with incident tasks in Microsoft Sentinel

This article explains how SOC analysts can use incident tasks to manage their incident-handling workflow processes in Microsoft Sentinel.

Incident tasks are typically created automatically by either automation rules or playbooks set up by senior analysts or SOC managers, but lower-tier analysts can create their own tasks on the spot, manually, right from within the incident.

You can see the list of tasks you need to perform for a particular incident on the incident details page, and mark them complete as you go.

Use cases for different roles

This article addresses the following scenarios, which apply to SOC analysts:

Other articles at the following links address scenarios that apply more to SOC managers, senior analysts, and automation engineers:

Prerequisites

The Microsoft Sentinel Responder role is required to create automation rules and to view and edit incidents, both of which are necessary to add, view, and edit tasks.

View and follow incident tasks

  1. In the Incidents page, select an incident from the list, and select View full details under Tasks in the details panel, or select View full details at the bottom of the details panel.

    Screenshot of link to enter the tasks panel from the incident info panel on the main incidents screen.

  2. If you opted to enter the full details page, select Tasks from the top banner.

    Screenshot shows incident details screen with tasks panel open.

  3. The Incident tasks panel will open on the right side of whichever screen you were in (the main incidents page or the incident details page). You'll see the list of tasks defined for this incident, along with how or by whom it was created - whether manually or by an automation rule or a playbook.

    Screenshot shows incident tasks panel as seen from incident details page.

  4. The tasks that have descriptions will be marked with an expansion arrow. Expand a task to see its full description.

    Screenshot shows incident tasks panel with expanded task descriptions.

  5. Mark a task complete by marking the circle next to the task name. A check mark will appear in the circle, and the text of the task will be grayed out. See the "Reset user password" example in the screenshots above.

Manually add an ad-hoc task to an incident

You can also add tasks for yourself, on the spot, to an incident's task list. This task will apply only to the open incident. This helps if your investigation leads you in new directions and you think of new things you need to check. Adding these as tasks ensures that you won't forget to do them, and that there will be a record of what you did, that other analysts and managers can benefit from.

  1. Select + Add task from the top of the Incident tasks panel.

    Screenshot shows how to manually add a task to your task list.

  2. Enter a Title for your task, and a Description if you choose.

    Screenshot shows how to add a title and description to your task.

  3. Select Save when you've finished.

    Screenshot shows how to finish defining and save your task.

  4. See your new task at the bottom of the task list. Note that manually created tasks have a different color band on the left border, and that your name appears as Created by: under the task title and description.

    Screenshot showing your new task at the end of the task list.

Next steps