Microsoft is bolstering its cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platform, Microsoft Sentinel, with a recent feature designed to enhance threat investigation and visualization: custom graphs. Currently in public preview, this capability allows security analysts to map relationships between entities within their security data, providing a more intuitive and comprehensive view of potential attacks. This development in Microsoft Sentinel aims to streamline the often complex process of identifying and responding to cybersecurity incidents.
For security teams, understanding the connections between users, devices, alerts, and other security-relevant data is crucial for effective threat hunting and incident response. Traditionally, this has involved piecing together information from various sources and manually creating visualizations. Custom graphs in Sentinel automate much of this process, enabling analysts to quickly identify patterns and anomalies that might otherwise head unnoticed. The introduction of this feature reflects a broader industry trend toward graph-based security analytics, which leverages the power of relationship analysis to detect sophisticated threats.
What are Custom Graphs in Microsoft Sentinel?
The core function of custom graphs is to visually represent the relationships between different entities within a security investigation. These entities can include things like IP addresses, user accounts, files, processes, and more. Analysts can define the relationships they want to explore – for example, “user logged into device,” or “process created file” – and Sentinel will automatically generate a graph showing those connections. This allows for a more holistic understanding of the attack chain and helps pinpoint the root cause of an incident. According to Microsoft’s documentation, the feature supports a variety of graph types and customization options, allowing analysts to tailor the visualizations to their specific needs.
The public preview, as reported by Petri IT Knowledgebase, allows users to build custom graphs using Kusto Query Language (KQL). Petri IT Knowledgebase highlights that this integration with KQL provides a powerful and flexible way to define the relationships and data that are displayed in the graphs. KQL is Microsoft’s query language for its data exploration tools, and its apply in custom graphs allows security professionals to leverage their existing KQL skills to create sophisticated visualizations.
How Does This Benefit Security Teams?
The benefits of custom graphs extend beyond just visualization. By providing a clear and concise representation of complex relationships, these graphs can significantly speed up incident investigation. Analysts can quickly identify key entities involved in an attack, trace the path of an attacker, and understand the scope of the compromise. This can lead to faster containment and remediation, minimizing the impact of security incidents. The ability to customize graphs allows teams to focus on the relationships that are most relevant to their specific environment and threat landscape.
The feature also supports collaborative investigation. Analysts can share graphs with colleagues, allowing for a more coordinated response to security incidents. This represents particularly important in larger organizations where multiple teams may be involved in incident response. The visual nature of the graphs also makes it easier to communicate findings to stakeholders who may not have a deep technical understanding of security concepts.
Leveraging KQL for Graph Creation
The integration with Kusto Query Language (KQL) is a key aspect of the custom graphs feature. KQL allows security analysts to query and analyze large volumes of security data with speed and efficiency. By using KQL to define the relationships between entities, analysts can create highly targeted and informative graphs. This also allows for dynamic graphs that update automatically as new data becomes available. Microsoft’s official documentation on Custom Graphs provides detailed examples and guidance on how to use KQL to create different types of graphs.
What’s Next for Microsoft Sentinel?
The public preview of custom graphs is just the latest in a series of updates to Microsoft Sentinel. Microsoft continues to invest heavily in the platform, adding new features and capabilities to help organizations improve their security posture. Future developments are likely to focus on further automation, integration with other Microsoft security products, and enhanced threat intelligence capabilities. The company has also indicated plans to expand the types of graphs supported and to add more customization options.
For organizations already using Microsoft Sentinel, the custom graphs feature represents a valuable addition to their security toolkit. It provides a powerful new way to visualize and analyze security data, enabling faster and more effective incident response. For organizations considering adopting Sentinel, this feature further strengthens the platform’s position as a leading cloud-native SIEM and SOAR solution. The public preview is available now, allowing security teams to commence exploring the benefits of custom graphs and providing feedback to Microsoft.
Microsoft plans to gather feedback during the public preview period to refine the feature before its general availability release. Users can submit feedback through the Microsoft Sentinel portal and through the Microsoft Tech Community. The next scheduled update for Microsoft Sentinel, expected in early 2024, will likely include improvements based on this feedback. Stay tuned to the Microsoft Sentinel documentation for the latest updates and announcements.
Have thoughts on the new custom graphs feature in Microsoft Sentinel? Share your comments below and let us know how you plan to use this capability to enhance your security operations.
