I've been told that the Incident Investigate button needs at least 1 Entity to have a value before it can be enabled. However I am seeing an incident that was generated from MCAS show up with no entities and yet the button is enabled (see image). Is this a bug or an exception to the rule. If I do click on the Investigate button I see "Active Directory" show up on the page as the app.
This is a special case. When using "Microsoft incident" rules which elevate alerts from Microsoft products to Incidents, we use the standard schema of Microsoft alerts to map automatically a large number of entities. Those are not exposed in the incident page today, but are used for investigation and you have experiences.