Incidents from Analytics Rule template

GBusheythanks for the reply 🙂

So if we asume that template rule does not generate incidents if there is no rule using it, then it is fine if I cannot find the incident, that is the expected behaviour, there shouldn't be any incident, neither open or closed. Also there shouldn't be any event or alert, anything, rule template does nothing and rule template says there are no rules using it.

Therefore, why and how could data went to splunk throught Azure AD --> Sentinel? Just trying to find the missing puzzle piece :D.

Below data received by splunk. I have searched on sentinel by all type of field, keyword, severity, etc:

{"id": "<deleted>", "azureTenantId": "<deleted>", "azureSubscriptionId": "<deleted>", "category": "7e9ee75a-24ee-4133-aa74-b16cf2fd8291_21811d33-db66-4724-9412-9f54a40e11e0", "createdDateTime": "2023-01-19T22:31:38.5955752Z", "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", "eventDateTime": "2023-01-05T22:26:37.045Z", "lastModifiedDateTime": "2023-01-19T22:31:38.6040419Z", "severity": "high", "status": "newAlert", "title": "Authentication Methods Changed for Privileged Account", "vendorInformation": {"provider": "Azure Sentinel", "vendor": "Microsoft"}, "userStates": [{"accountName": "<deleted>", "domainName": "<deleted>", "emailRole": "unknown", "logonDateTime": "2023-01-05T22:26:37.045Z", "logonIp": "<deleted>", "userPrincipalName": "<deleted>"}]}