Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Investigate button enabled when it shouldn't be

Bronze Contributor

I've been told that the Incident Investigate button needs at least 1 Entity to have a value before it can be enabled.  However I am seeing an incident that was generated from MCAS show up with no entities and yet the button is enabled (see image).  Is this a bug or an exception to the rule.   If I do click on the Investigate button I see "Active Directory" show up on the page as the app.


1 Reply
best response confirmed by Gary Bushey (Bronze Contributor)

@Gary Bushey 


This is a special case. When using "Microsoft incident" rules which elevate alerts from Microsoft products to Incidents, we use the standard schema of Microsoft alerts to map automatically a large number of entities. Those are not exposed in the incident page today, but are used for investigation and you have experiences.


~ Ofer