Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Unified Portal - Sentinel incident losing set tactics

Brass Contributor

Hi,

 

Just trialling the unified portal, and incidents in Sentinel seem to lose any tactics set via the analytic rule.

Plus the resulting incident has a slightly different title, assume after being converted to 'Defender speak'.

 

We have a standard rule TI MAP IP entity for Office365 and the incident is TI Map IP entity for Office365 involving one user and the tactic is missing even though its in the original rule?

 

Anyone else experiencing the same?

 

Regards,

 

Tim

1 Reply

@tipper1510 yes similar. 

I have a NRT analytic rule in one tenant that’s affected. Like yours the title is mangled a little but what’s worse is the incident description that I pass through to my PSA using a playbook is completely lost. 

when I look at the incident in Defender it’s all good but the analytic and playbook are worse off. 

Same analytic in a different tenant where I haven’t enabled the unified portal works just fine. 

Ross.