Forum Discussion
Microsoft Sentinel - Creation of incident from custom rule does not show related entity mappings
We have custom rules that create incidents. However within the incident, entity mappings do not show up. We notice in incidents created by Microsoft products, the entities do show up in the incident. Can someone please advise? Thank you so much.
1 Reply
- It appears incidents will pick up entities from alerts one level deep. So if your incident has an alert that is made up of alerts, the entities do not get passed up. However in the Event Group section of the rule creation, you can select "Trigger an alert for each event (preview)" which will create 1 incident for every alert with a cap at 20. In this scenario, the entities show up within the incident.
