Forum Discussion
How to determine where an alert rule comes from?
Okay, I'm getting incidents with the description "Sign-in from an atypical location based on the user's recent sign-ins". In the incident, I can see that the Analytics rule is "Create incidents based...
Rod_Trent
Microsoft
MicrosoftYou should be able to click on the link for Analytics Rule in the info pane. This will take you directly to the Analytics Rule that generated the Incident.
Yes, it takes me to the rule but I want to know where the rule came from - which content from the Content Hub included that rule such that it ended up imported into this environment. Unlike most of the other Analytics Rules, this one only shows on the 'Active rules' tab, not on the "Rule templates" tab. What I want to do is end up with this rule (and maybe any associated conent) imported into a Sentinel test environment.
- In Rod's screen shot you can see that the Alert has come from Microsoft Defender for Cloud (and Azure Security Center, which is the legacy name for that product).
Rules from other products like Defender for Cloud or Defender for Endpoint are not stored in Microsoft Sentinel - the product Source column is useful in this situation (if its not Microsoft Sentinel then you typically wont see the rule template).
You are getting these Alerts because you enabled an individual Defender connector or the Microsoft 365 Defender connector. The rules called "Create incidents based on ..." are not used by the Microsoft 365 Defender connector.
