User Profile
Gift_Mangena
Copper Contributor
Joined 3 years ago
User Widgets
Recent Discussions
How to Investigate incidents following best practice - Sentinel Automation
I have successfully created a playbook that is supposed to automate investigation in MDE, It will then add a comment to the incident and post a message via email to me. I then created an automation rule that has a condition that checks if the TITLE of the incident is xxxxxx it should change the severity of the incident to high, status to new, and run the created playbook. In order to trigger it, I then created an incident with the name xxxxxx that has severity medium and status new. Results: The incident changes status from new to active and severity from medium to high but the playbook did not run or provide me with more details of the incident, instead, I get this alert message : The investigation graph requires that your incident includes entities (for example: user, host, IP, etc.). Use the entity mapping option when defining your alerts While the investigate button is grey Kindly advice. thank youSolved1KViews0likes1Comment
Recent Blog Articles
No content to show