cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Sentinel - Creation of incident from custom rule does not show related entity mappings

Cindy77
Copper Contributor

‎Dec 03 2021 08:44 AM

‎Dec 03 2021 08:44 AM

Microsoft Sentinel - Creation of incident from custom rule does not show related entity mappings

We have custom rules that create incidents. However within the incident, entity mappings do not show up. We notice in incidents created by Microsoft products, the entities do show up in the incident. Can someone please advise? Thank you so much.

662 Views
0 Likes
1 Reply
Reply
1 Reply
Cindy77

‎Dec 03 2021 11:23 AM

‎Dec 03 2021 11:23 AM

Re: Microsoft Sentinel - Creation of incident from custom rule does not show related entity mappings

It appears incidents will pick up entities from alerts one level deep. So if your incident has an alert that is made up of alerts, the entities do not get passed up. However in the Event Group section of the rule creation, you can select "Trigger an alert for each event (preview)" which will create 1 incident for every alert with a cap at 20. In this scenario, the entities show up within the incident.
0 Likes
Reply