Nov 20 2023 12:40 PM
Okay, I'm getting incidents with the description "Sign-in from an atypical location based on the user's recent sign-ins". In the incident, I can see that the Analytics rule is "Create incidents based on Azure Active Directory Identity Protection". I then went to Analytics where I can see the rule under "Active rules" and it's listed twice - once as Gallery Content and once as Custom Content. But I can't tell how either of these rules got into Sentinel. Is there a way to track where they came from? Especially the one labelled "Gallery content" seems like I should be able to tell the content source or find it in the Content Hub.
TIA
~dgm~
Nov 20 2023 01:34 PM
You should be able to click on the link for Analytics Rule in the info pane. This will take you directly to the Analytics Rule that generated the Incident.
Nov 20 2023 02:05 PM
Yes, it takes me to the rule but I want to know where the rule came from - which content from the Content Hub included that rule such that it ended up imported into this environment. Unlike most of the other Analytics Rules, this one only shows on the 'Active rules' tab, not on the "Rule templates" tab. What I want to do is end up with this rule (and maybe any associated conent) imported into a Sentinel test environment.
Nov 21 2023 01:45 AM