Hi @abon13,
Microsoft Sentinel offers the capability to associate alerts with incidents, allowing for manual or automated addition and removal of alerts during investigations.
This functionality is integrated into the latest Microsoft Sentinel API version, making it accessible through the Logic Apps connector for Microsoft Sentinel. With this, playbooks can be employed to automatically include alerts in incidents based on specific conditions.
Additionally, the entity timeline feature, currently in Preview, enables the linking of alerts related to a particular entity to an incident. In the entity timeline, all entities involved in an incident investigation are displayed, and selecting an entity reveals a miniature entity page in a side panel.
By choosing "Related alerts," connected alerts are shown with dotted lines. Users can hover over a related alert, and a menu will appear on the side, providing the option to "Add alert to incident (Preview)." This action incorporates the alert into the incident, along with its associated entities and details.
An incident can contain a maximum of 150 alerts. Attempting to add an alert to an incident that already has 150 alerts will result in an error message.
Relate alerts to incidents in Microsoft Sentinel | Microsoft Learn
Investigate entities with entity pages in Microsoft Sentinel | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)