How to Investigate incidents following best practice - Sentinel Automation

Senior Member

I have successfully created a  playbook that is supposed to automate investigation in MDE, It will then add a comment to the incident and post a message via email to me.


 I then created an automation rule that has a condition that checks if the TITLE of the incident is xxxxxx it should change the severity of the incident to high, status to new, and run the created playbook. 


In order to trigger it, I then created an incident with the name xxxxxx that has severity medium and status new.



The incident changes status from new to active and severity from medium to high but the playbook did not run or provide me with more details of the incident, instead, I get this alert message : 


The investigation graph requires that your incident includes entities (for example: user, host, IP, etc.). Use the entity mapping option when defining your alerts


While the investigate button is grey 


Kindly advice.


thank you 





1 Reply
best response confirmed by Gift_Mangena (Senior Member)



You need to set at least one entity mapping in the Rule Logic, to make the Investigate button active