Forum Discussion
Incident Investigation question
MicrosoftGaryBushey
Hi,
Hmm, we actually didn't change anything in the functionality.
If you click on 'related entities' for each of the alerts you should see the relationships between the alerts and the matching entities.
Let me know if that addresses the issue.
Thanks,
Raz
razhe Thank you for your reply but it didn't resolve the issue. Let me see if I can explain it a bit better.
I have 4 alerts/incidents. Three of them ; New Account, Account Elevated, and Account Deleted all share the same Entities: IP = 192.168.154.159, Account = John Doe , and Host = ADServer. The fourth one, Mass Download, has Host = HRServer and URL = www.microsoft.com, along with Account = John Doe and IP = 192.168.154.159
When performing an investigation on New Account, I see all three Entities. Great! Working correct. I can then view Related Alerts on the Account, John Doe, and I see the other three alerts. Still working. If I then go to Mass Download, and view Related entities I only see the two entities that are not on the page yet. OK, that seems fine. HOWEVER, there no longer a line going from Mass Download to the existing Account and IP entities, like there used to be, so I have no way of knowing that those two entities are related to the Mass Download alert. See the attached image.
This makes the investigation not as useful as it used to be as this would lead me to believe there are only 2 entities associated to the Mass Download alert when in fact there are 4.
We can take this offline if it would be easier.
- razhe
GaryBushey
Thanks for explaining! this indeed requires further investigation on our side.
We might contact you offline if we need more details or are unable to recreate.
Thanks again for bringing this to our attention, I'll keep you updated on our findings.
