All the events pertaining to the incident are not shown when grouping based on Tenant enabled.

Hi SangaraNarayanan,

Thank you for the clarification. If your aim is to ask Microsoft to add this feature to the product, I'm afraid that I have no influence on that. You would need to reach out to your Account Manager and ask for a feature request to be opened.

My recommendation for a direct solution is to create an Azure Workbook. In a Workbook, you can create a custom Incident Overview page and design it to your exact requirements. There are already some interesting solutions in the Content Hub that may serve as an example to what you are trying to achieve. Take a look at "Sentinel Central" or "Incident Management with Microsoft Sentinel".

If you're looking to develop a solution yourself, I recommend to read https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-interactive-reports#set-up-a-grid-row-click for more information. You could create two panels: one to list the active incidents in the workspace, and a second to load all the alerts for the selected incident in the results of the first query.

For the first panel, I recommend using the Azure Resource Manager data source, using the following endpoint of the ARM REST API: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2023-11-01&tabs=HTTP. Be sure to use the $filter option to only show recent and New incidents. A simpler setup would use a normal parameter, allowing for manual entry of the incident number. For the second panel, you could use the query I provided and pass the incident number as a parameter.

I realize that this may not be the answer you were looking for, but I hope it helps!

Kind regards,

Rutger