Jan 10 2024 05:05 PM
Hi,
I know we can identify and close alerts from Sentinel Incidents page, however clicking on every alert to find what Entities are those alerts associated and then selecting "close" is tedious. I am trying to find a way on how to Identify all the alerts related to an entity and bulk close it.
Let me know if there is way to do so.
Thanks !!
Jan 11 2024 12:44 AM
Hi @abon13,
Microsoft Sentinel offers the capability to associate alerts with incidents, allowing for manual or automated addition and removal of alerts during investigations.
This functionality is integrated into the latest Microsoft Sentinel API version, making it accessible through the Logic Apps connector for Microsoft Sentinel. With this, playbooks can be employed to automatically include alerts in incidents based on specific conditions.
Additionally, the entity timeline feature, currently in Preview, enables the linking of alerts related to a particular entity to an incident. In the entity timeline, all entities involved in an incident investigation are displayed, and selecting an entity reveals a miniature entity page in a side panel.
By choosing "Related alerts," connected alerts are shown with dotted lines. Users can hover over a related alert, and a menu will appear on the side, providing the option to "Add alert to incident (Preview)." This action incorporates the alert into the incident, along with its associated entities and details.
An incident can contain a maximum of 150 alerts. Attempting to add an alert to an incident that already has 150 alerts will result in an error message.
Relate alerts to incidents in Microsoft Sentinel | Microsoft Learn
Investigate entities with entity pages in Microsoft Sentinel | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Jan 11 2024 06:08 PM
Jan 11 2024 11:53 PM
Hi @abon13,
thanks for the additional info.
As far as I know, closing an incident does not automatically close the associated alerts.
This is because an alert can be associated with multiple incidents, and closing one incident might not mean that the issue the alert is indicating has been resolved.
Each alert must be closed individually to indicate that the issue it was alerting for has been addressed.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Jan 12 2024 12:27 AM
Jan 12 2024 12:49 AM
SolutionHi @abon13,
as far as I know, only incidents can be bulk closed, but that does not automatically close the alerts.
How to close sentinel bulk incidents - Microsoft Community Hub
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Jan 12 2024 12:49 AM
SolutionHi @abon13,
as far as I know, only incidents can be bulk closed, but that does not automatically close the alerts.
How to close sentinel bulk incidents - Microsoft Community Hub
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)