Investigate button enabled when it shouldn't be

Gary Bushey

I've been told that the Incident Investigate button needs at least 1 Entity to have a value before it can be enabled.  However I am seeing an incident that was generated from MCAS show up with no entities and yet the button is enabled (see image).  Is this a bug or an exception to the rule.   If I do click on the Investigate button I see "Active Directory" show up on the page as the app.


1 Reply

@Gary Bushey 


This is a special case. When using "Microsoft incident" rules which elevate alerts from Microsoft products to Incidents, we use the standard schema of Microsoft alerts to map automatically a large number of entities. Those are not exposed in the incident page today, but are used for investigation and you have experiences.


~ Ofer

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies