What’s new: incident expansion – relate alerts to incidents - Microsoft Tech Community
As the investigation of a security incident unfolds, the scope of the incident might expand. An analysts investigate and incident, they might uncover additional steps in the attacker's kill chain thus uncovering the full attack story. Attaching those alerts to the incident being investigated is a critical requirement in documenting the investigation process and ensuring appropriate mitigation steps are taken. The end result will be richer incidents representing the full story of the attack which you can then report on, sync with external systems and accurately act on.
We are happy to announce, now in public preview, a new capability that will allow analysts to add or remove an alert from an incident as a part of their investigation experience. This feature can be used from the investigation graph UI or combined in a SOAR playbook to generate an automatic and configurable grouping of alerts to incidents.