cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more
SOLVED

Investigate button enabled when it shouldn't be

Gary Bushey
Bronze Contributor

‎Nov 21 2019 08:48 AM

‎Nov 21 2019 08:48 AM

Investigate button enabled when it shouldn't be

I've been told that the Incident Investigate button needs at least 1 Entity to have a value before it can be enabled.  However I am seeing an incident that was generated from MCAS show up with no entities and yet the button is enabled (see image).  Is this a bug or an exception to the rule.   If I do click on the Investigate button I see "Active Directory" show up on the page as the app.

investigate.png

731 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Gary Bushey (Bronze Contributor)
Ofer_Shezaf

‎Nov 24 2019 07:05 AM

‎Nov 24 2019 07:05 AM

Solution

Re: Investigate button enabled when it shouldn't be

@Gary Bushey 

 

This is a special case. When using "Microsoft incident" rules which elevate alerts from Microsoft products to Incidents, we use the standard schema of Microsoft alerts to map automatically a large number of entities. Those are not exposed in the incident page today, but are used for investigation and you have experiences.

 

~ Ofer

0 Likes
Reply