SOLVED
Home

Investigate button enabled when it shouldn't be

%3CLINGO-SUB%20id%3D%22lingo-sub-1024499%22%20slang%3D%22en-US%22%3EInvestigate%20button%20enabled%20when%20it%20shouldn't%20be%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024499%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20been%20told%20that%20the%20Incident%20Investigate%20button%20needs%20at%20least%201%20Entity%20to%20have%20a%20value%20before%20it%20can%20be%20enabled.%26nbsp%3B%20However%20I%20am%20seeing%20an%20incident%20that%20was%20generated%20from%20MCAS%20show%20up%20with%20no%20entities%20and%20yet%20the%20button%20is%20enabled%20(see%20image).%26nbsp%3B%20Is%20this%20a%20bug%20or%20an%20exception%20to%20the%20rule.%26nbsp%3B%20%26nbsp%3BIf%20I%20do%20click%20on%20the%20Investigate%20button%20I%20see%20%22Active%20Directory%22%20show%20up%20on%20the%20page%20as%20the%20app.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158330iC713D19C13C41FD7%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22investigate.png%22%20title%3D%22investigate.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1029061%22%20slang%3D%22en-US%22%3ERe%3A%20Investigate%20button%20enabled%20when%20it%20shouldn't%20be%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1029061%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20special%20case.%20When%20using%20%22Microsoft%20incident%22%20rules%20which%20elevate%20alerts%20from%20Microsoft%20products%20to%20Incidents%2C%20we%20use%20the%20standard%20schema%20of%20Microsoft%20alerts%20to%20map%20automatically%20a%20large%20number%20of%20entities.%20Those%20are%20not%20exposed%20in%20the%20incident%20page%20today%2C%20but%20are%20used%20for%20investigation%20and%20you%20have%20experiences.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E
Gary Bushey
Contributor

I've been told that the Incident Investigate button needs at least 1 Entity to have a value before it can be enabled.  However I am seeing an incident that was generated from MCAS show up with no entities and yet the button is enabled (see image).  Is this a bug or an exception to the rule.   If I do click on the Investigate button I see "Active Directory" show up on the page as the app.

investigate.png

1 Reply
Solution

@Gary Bushey 

 

This is a special case. When using "Microsoft incident" rules which elevate alerts from Microsoft products to Incidents, we use the standard schema of Microsoft alerts to map automatically a large number of entities. Those are not exposed in the incident page today, but are used for investigation and you have experiences.

 

~ Ofer

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies