SOLVED

Dynamically populate description of an incident

%3CLINGO-SUB%20id%3D%22lingo-sub-1561066%22%20slang%3D%22en-US%22%3EDynamically%20populate%20description%20of%20an%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1561066%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20populate%20the%20description%20of%20an%20incident%20dynamically%3F%20For%20example%2C%20I%20have%20an%20analytic%20rule%20which%20detects%20if%20an%20account%20is%20added%20to%20a%20specific%20group.%20I%20would%20like%20to%20populate%20the%20incident%20description%20as%20below%3A%3C%2FP%3E%3CP%3E%22user%20XYZ%20has%20added%20user%20ABC%20to%20the%20domain%20group%20GRP01%22.%26nbsp%3B%3C%2FP%3E%3CP%3EHere%2C%20the%20XYZ%2C%20ABC%2C%20and%20GRP01%20is%20extracted%20from%20the%20query%20result%20(SubjectUserName%2C%20MemberName%2C%20TargetUserName.%20This%20would%20make%20the%20incidents%20more%20easy%20to%20understand%20by%20analysts%20at%20first%20glance%2C%20without%20having%20to%20investigate%20evidence%20events.%20Also%2C%20when%20integrating%20with%20a%20ticketing%20system%2C%20the%20dynamically%20populated%20description%20would%20be%20more%20useful%20for%20incident%20handlers.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1561199%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamically%20populate%20description%20of%20an%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1561199%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F666494%22%20target%3D%22_blank%22%3E%40Cyb3rMonk%3C%2FA%3E%26nbsp%3BThis%20is%20not%20currently%20possible%2C%20however%20we%20are%20working%20on%20such%20a%20feature.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi, 

Is it possible to populate the description of an incident dynamically? For example, I have an analytic rule which detects if an account is added to a specific group. I would like to populate the incident description as below:

"user XYZ has added user ABC to the domain group GRP01". 

Here, the XYZ, ABC, and GRP01 is extracted from the query result (SubjectUserName, MemberName, TargetUserName. This would make the incidents more easy to understand by analysts at first glance, without having to investigate evidence events. Also, when integrating with a ticketing system, the dynamically populated description would be more useful for incident handlers. 

2 Replies
Highlighted
Best Response confirmed by Cyb3rMonk (Contributor)
Solution

@Cyb3rMonk This is not currently possible, however we are working on such a feature.

Highlighted
Thanks Ofer! Looking forward to it!