Create and delete incidents in Microsoft Sentinel
Published Sep 12 2022 04:21 AM 5,989 Views

During the everyday work of the SOC, suspicious and malicious events surface from many sources. Events which are identified by SIEM and XDR systems are aggregated into alerts, and those alerts become incidents. However, at times a possible security breach is reported by other means - such as a phone call, an email, hunting results or a customer request. Those incidents need to be documented when it has been reported, partially investigated, or even resolved. As part of our journey to build better incident management capabilities in Microsoft Sentinel, we would like to announce the "Manual incident creation" feature, along with the "delete incident" capability.


With the "manual incident creation" feature, analysts can now create an incident manually in the Sentinel portal and also by using the new "Create incident (preview)" LogicApp action (joining the already existing ability to create an incident through the API). If an incident was mistakenly logged, or is an exact duplicate of another incident, it can now be deleted from the grid using the new "delete" option or using an API - leaving only audit information in the Log Analytics table.


Two playbooks templated are available in the template gallery, allowing out of the box incident creation using email template and Microsoft Forms - thus reducing the time between the SOC learning about the incident and the time the incident is logged in Sentinel.


Manually creating an incident using the Sentinel portal:

You can easily create an incident using the "Create incident (preview)" button. There are some required fields such as the incident's title, severity, and status. When "Create" is selected, the incident is immediately added to the incidents queue. Documentation on how to manually create incidents can be found here:




Manually creating an incident using LogicApp action:

To create an incident using playbooks, use the new "Create incident (preview)" action.

The new playbook templates now available in the playbooks gallery allow to easily create playbooks that create incident when an incident is reported to the SOC using a dedicated email template or using a Microsoft Form.




Deleting an incident using the Sentinel portal

Incidents can be deleted using an API or using the "Delete" button in the incidents grid. It's possible to delete just one incident, or to select multiple incidents and delete them by a bulk action. Incidents generated in or synchronized with M365D can't be deleted.

Documentation for this feature is available here:







These new incident management capabilities allow a single pane of glass for all incidents triaged and investigated by the SOC, open or closed, regardless of their origin. More capabilities will be added to Sentinel to allow better case management, and to this feature: such as the ability to relate entities, relate alerts and add evidence. 

Version history
Last update:
‎Sep 12 2022 02:06 AM
Updated by: