Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Investigate button enabled when it shouldn't be

Bronze Contributor

I've been told that the Incident Investigate button needs at least 1 Entity to have a value before it can be enabled.  However I am seeing an incident that was generated from MCAS show up with no entities and yet the button is enabled (see image).  Is this a bug or an exception to the rule.   If I do click on the Investigate button I see "Active Directory" show up on the page as the app.

investigate.png

1 Reply
best response confirmed by Gary Bushey (Bronze Contributor)
Solution

@Gary Bushey 

 

This is a special case. When using "Microsoft incident" rules which elevate alerts from Microsoft products to Incidents, we use the standard schema of Microsoft alerts to map automatically a large number of entities. Those are not exposed in the incident page today, but are used for investigation and you have experiences.

 

~ Ofer

1 best response

Accepted Solutions
best response confirmed by Gary Bushey (Bronze Contributor)
Solution

@Gary Bushey 

 

This is a special case. When using "Microsoft incident" rules which elevate alerts from Microsoft products to Incidents, we use the standard schema of Microsoft alerts to map automatically a large number of entities. Those are not exposed in the incident page today, but are used for investigation and you have experiences.

 

~ Ofer

View solution in original post