cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

How to Investigate incidents following best practice - Sentinel Automation

Gift_Mangena
Senior Member

‎May 18 2023 03:46 AM - edited ‎May 23 2023 02:25 AM

‎May 18 2023 03:46 AM - edited ‎May 23 2023 02:25 AM

How to Investigate incidents following best practice - Sentinel Automation

I have successfully created a  playbook that is supposed to automate investigation in MDE, It will then add a comment to the incident and post a message via email to me.

 

 I then created an automation rule that has a condition that checks if the TITLE of the incident is xxxxxx it should change the severity of the incident to high, status to new, and run the created playbook. 

 

In order to trigger it, I then created an incident with the name xxxxxx that has severity medium and status new.

 

Results:

The incident changes status from new to active and severity from medium to high but the playbook did not run or provide me with more details of the incident, instead, I get this alert message : 

 

The investigation graph requires that your incident includes entities (for example: user, host, IP, etc.). Use the entity mapping option when defining your alerts

 

While the investigate button is grey 

 

Kindly advice.

 

thank you 

 

 

 

 

Labels:
243 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Gift_Mangena (Senior Member)
Clive_Watson

‎May 18 2023 05:01 AM

‎May 18 2023 05:01 AM

Solution

Re: How to Investing following best practice

@Gift_Mangena 

 

You need to set at least one entity mapping in the Rule Logic, to make the Investigate button active

Clive_Watson_0-1684411276519.png

 

0 Likes
Reply