Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Incident URL

Bronze Contributor

What is the URL to get to a specific Incident's Full Details page?  The URL I get from my browser only takes me to the listing of Incidents.  I thought I saw it listed here before but I cannot find it.

15 Replies
No. I mean is there a URL that would take me directly to the page showing an Incident's full details. Would be very useful to put into Teams messages

Hi @Gary Bushey, thank you for your feedback! Adding @Nicholas DiCola (SECURITY JEDI) 

@Valon_Kolica 

@Gary Bushey 

 

we dont have a "deep link" exposed today.

 

 

@Gary Bushey 

Great news, this has arrived!

clipboard_image_0.png

 

 

Nicholas (I can't @ you, I get an "invalid HTML" error when I try to post) is there somewhere that release notes of changes like this are posted? Or even better a roadmap so we know what's coming? Knowing this was coming would have saved us a lot of time last week. The biggest thing we're eager for is when are Sentinel Incidents coming to the Graph API, we're investing a lot of time in making Logic Apps so we can interact with Incidents via the API from ServiceNow

@mevops 

weird on the @ ...

 

we normally announce things in the what new blade

clipboard_image_0.png

 

Not everything will be announced as some are minor features.

@Gary Bushey If an incident is triggered by a Microsoft Service data connector > Incidents > View Full Details > ALERT ID > ExtendedLinks should contain two Href links - one might be the security policy ID and the other the Security Alert ID - if you navigate to the URL in the Security alert ID is this the link you were looking for? 

@mevops Have you also found that this Incident Link is a bit useless? All it does is link you to the exact same page you would receive if you click the 'View full details' button underneath. It would be much more useful if it copied out the Microsoft Service alert href from the extended properties in the alert. 

@jcheal while I think Sentinel does indeed need a link back to the original Alert, if there is one, in this case the URL provided does just what I wanted it to.  I wanted to be able to put this URL into a Team's message so that users had a quick and easy way to get back to the Incident.   Now it just needs to show up as a field in the Logic App's connector :)

 

Sorry for the delay @jcheal, didn't spot this.

It's actually perfect for what we needed it for! We integrate Sentinel Incidents into our ServiceNow platform. We specifically sync Incidents, not Alerts, so that we don't lose all the aggregation power etc that Sentinel has in dealing with Alerts. We needed a way to get back to the Sentinel Incident from the ServiceNow platform though.

This link has allowed us to put a button on the ServiceNow Incident that takes the agent directly to the related Incident in Sentinel.

@Gary Bushey  - were you able to find a way to reference this URL in a LogicApp for posting into Teams or ServiceNow?

@jcheal 

Nicholas DiCola (SECURITY JEDI)

 

As a Security Analyst I prefer to go to the original Dashboard (e.g. in case I receive an MCAS ord Defender Alert in Sentinel, I like to jump out of Sentinel and go to the original Dashboard, as I have more analysis option there). Is there an easy way to navigate to the Source Dashboard? I think it is not so user friendly to search for the url in the logs (Extended Links). 

 

 

@CurlX I would suggest adding this to the Azure Sentinel feedback site: https://feedback.azure.com/forums/920458-azure-sentinel