Create and delete incidents in Microsoft Sentinel - Microsoft Tech Community
During the everyday work of the SOC, suspicious and malicious events surface from many sources. Events which are identified by SIEM and XDR systems are aggregated into alerts, and those alerts become incidents. However, at times a possible security breach is reported by other means - such as a phone call, an email, hunting results or a customer request. Those incidents need to be documented when it has been reported, partially investigated, or even resolved. As part of our journey to build better incident management capabilities in Microsoft Sentinel, we would like to announce the "Manual incident creation" feature, along with the "delete incident" capability.
With the "manual incident creation" feature, analysts can now create an incident manually in the Sentinel portal and also by using the new "Create incident (preview)" LogicApp action (joining the already existing ability to create an incident through the API). If an incident was mistakenly logged, or is an exact duplicate of another incident, it can now be deleted from the grid using the new "delete" option or using an API - leaving only audit information in the Log Analytics table.
Two playbooks templated are available in the template gallery, allowing out of the box incident creation using email template and Microsoft Forms - thus reducing the time between the SOC learning about the incident and the time the incident is logged in Sentinel.