Incidents from Analytics Rule template

Copper Contributor

Hi all!


I have a limited knowledge on Sentinel and the MS products and tools but trying hard to understand the whole puzzle.


We have a splunk server acting as a SIEM which ingests data from Sentinel via webhook (this is out of my scope ATM).


There are a few types of incidents which I cannot find on "threat management -> incidents". This is the case of "URL Added to Application from Unknown Domain". I can find it on "Analytics -> Rule templates". Its source is Azure Active Directory but on the bottom of the rule details there is a note:

  • You haven't used this template yet; You can use it to create analytics rules.

  • One or more data sources used by this rule is missing. This might limit the functionality of the rule.

Also, a config item is " Create incidents from this rule: Enabled"


The way I understand this is: "Rule templates" don't generate incidents by itself so a rule must be created using the template and, if the template is configured to create incidents from the rule, then an incident would be created and it would be possible to find it in "threat management ->incidents".


Am I right or otherwise, the rule template can create the incident without a rule?


Anyway, why I cannot find the incident whitin the inciedent list? How could this incident went through splunk?


Thanks in advance for your knowledge :)

best regards



6 Replies

@jorgeghm As you said, rules templates do nothing by themselves.  They serve as a template to create Analytic rules.  These get run which will find events.  The events will be grouped into alerts and then the alerts grouped into incidents. 


One reason I could think of that you are not seeing the incident in question is that it is closed in Sentinel.  By default, closed incidents are not shown in the Incidents page.  You would need to change the "status" filter to show closed incidents as well to see everything.

@GBusheythanks for the reply :)


So if we asume that template rule does not generate incidents if there is no rule using it, then it is fine if I cannot find the incident, that is the expected behaviour, there shouldn't be any incident, neither open or closed. Also there shouldn't be any event or alert, anything, rule template does nothing and rule template says there are no rules using it.


Therefore, why and how could data went to splunk throught Azure AD --> Sentinel? Just trying to find the missing puzzle piece :D.


Below data received by splunk. I have searched on sentinel by all type of field, keyword, severity, etc:



{"id": "<deleted>", "azureTenantId": "<deleted>", "azureSubscriptionId": "<deleted>", "category": "7e9ee75a-24ee-4133-aa74-b16cf2fd8291_21811d33-db66-4724-9412-9f54a40e11e0", "createdDateTime": "2023-01-19T22:31:38.5955752Z", "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef :", "eventDateTime": "2023-01-05T22:26:37.045Z", "lastModifiedDateTime": "2023-01-19T22:31:38.6040419Z", "severity": "high", "status": "newAlert", "title": "Authentication Methods Changed for Privileged Account", "vendorInformation": {"provider": "Azure Sentinel", "vendor": "Microsoft"}, "userStates": [{"accountName": "<deleted>", "domainName": "<deleted>", "emailRole": "unknown", "logonDateTime": "2023-01-05T22:26:37.045Z", "logonIp": "<deleted>", "userPrincipalName": "<deleted>"}]}



Sorry, I cannot answer that without being able to look into your system to see if there would be something else generating this message. Did you check closed incidents in Sentinel as those don't show up by default?
Yeah, I have also searched closed incidents , nothing. Anyway thanks for your help
When you did the search, did you search the SecurityIncident table or just use the UI? There is a new feature to delete incidents so maybe it got deleted?


I would expect to see that data in OfficeActivity or CloudAppEvents tables

This should  find it - and list the tables the messages are in, when we know where the data is seen a Use Case can be enabled (or built) from the templates. 

 search  "Authentication Methods Changed for Privileged Account"
| where TimeGenerated between (ago(30d) .. now())
//| where TimeGenerated between (datetime(2022-12-01) .. datetime(2023-01-21))
| summarize count(), min(TimeGenerated), max(TimeGenerated) by Type