Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

How to Investigate incidents following best practice - Sentinel Automation

Copper Contributor

I have successfully created a  playbook that is supposed to automate investigation in MDE, It will then add a comment to the incident and post a message via email to me.

 

 I then created an automation rule that has a condition that checks if the TITLE of the incident is xxxxxx it should change the severity of the incident to high, status to new, and run the created playbook. 

 

In order to trigger it, I then created an incident with the name xxxxxx that has severity medium and status new.

 

Results:

The incident changes status from new to active and severity from medium to high but the playbook did not run or provide me with more details of the incident, instead, I get this alert message : 

 

The investigation graph requires that your incident includes entities (for example: user, host, IP, etc.). Use the entity mapping option when defining your alerts

 

While the investigate button is grey 

 

Kindly advice.

 

thank you 

 

 

 

 

1 Reply
best response confirmed by Gift_Mangena (Copper Contributor)
Solution

@Gift_Mangena 

 

You need to set at least one entity mapping in the Rule Logic, to make the Investigate button active

Clive_Watson_0-1684411276519.png

 

1 best response

Accepted Solutions
best response confirmed by Gift_Mangena (Copper Contributor)
Solution

@Gift_Mangena 

 

You need to set at least one entity mapping in the Rule Logic, to make the Investigate button active

Clive_Watson_0-1684411276519.png

 

View solution in original post