Forum Discussion

qlts's avatar
qlts
Copper Contributor
Apr 04, 2025

Sentinel incident playbook - get alert entities

Hi! My main task is to get all alerts (alerts, not incidents) from sentinel (analytics rules and Defender XDR) to external case management. For different reasons we need to do this on alert level. A...
alerts
automation
playbooks
soar
ITProfessor's avatar
ITProfessor
Brass Contributor
Apr 12, 2025

This is actually really valid question, in that case I would probably use some tracking variables and add the number of Entities flagged in the KQL, and then additional condition where Entities != to the ones previously flagged. Will try to test it out in my environment :) 

qlts's avatar
qlts
Copper Contributor
Apr 15, 2025

Yeah, that should work for entities tracking. But in some cases event happens again, no new entities, only 'Last update time' is changed. In Defender XDR/sentinel incident will pop up on list, but as it does not create new alert then playbook is not triggered.

Not sure how it behaves when incident is closed after first investigation, does is reopen or create new?

  • ITProfessor's avatar
    ITProfessor
    Brass Contributor
    Apr 15, 2025

    It will create a new one if previous one was closed after investigation (if triggered by analytic rule there is an option there to re-open incidents which is off by default) 

Resources