You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/relate-alerts-to-incidents.md
+69-4Lines changed: 69 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,7 +68,7 @@ When adding an alert to an incident, depending on the circumstances, you might b
68
68
69
69
In this case you'll see a message that the alert is part of another incident or incidents, and asked if you want to proceed. Select **OK** to add the alert or **Cancel** to leave things as they were.
70
70
71
-
Adding the alert to this incident *will not remove it* from any other incidents. Alerts can be related to more than one incident.
71
+
Adding the alert to this incident *will not remove it* from any other incidents. Alerts can be related to more than one incident. If you want, you can remove the alert manually from the other incident(s) by following the link(s) in the message prompt above.
72
72
73
73
- The alert you want to add belongs to another incident, and it's the only alert in the other incident.
74
74
@@ -92,8 +92,73 @@ When adding an alert to an incident, depending on the circumstances, you might b
92
92
93
93
- An incident can contain a maximum of 150 alerts. If you try to add an alert to an incident with 150 alerts in it, you will get an error message.
94
94
95
+
## Add/remove alerts using playbooks
96
+
97
+
Adding and removing alerts to incidents are also available as actions in Logic Apps, and therefore in Microsoft Sentinel playbooks.
98
+
99
+
Here's an example of using the **Add alert to incident (Preview)** action in a playbook:
100
+
101
+
:::image type="content" source="media/relate-alerts-to-incidents/add-alert-using-playbook.png" alt-text="Screenshot of adding an alert to an incident using a playbook action.":::
102
+
103
+
## Add/remove alerts using the API
104
+
105
+
You're not limited to the portal to use this feature. It's also accessible through the Microsoft Sentinel API, through the [Incident relations](/rest/api/securityinsights/preview/incident-relations) operation group. It allows you to get, create, update, and delete relationships between alerts and incidents.
106
+
107
+
### Create a relationship
108
+
109
+
You add an alert to an incident by creating a relationship between them. Use the following endpoint to add an alert to an existing incident. After this request is made, the alert joins the incident and will be visible in the list of alerts in the incident in the portal.
110
+
111
+
```http
112
+
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/Incidents/{incidentId}/relations/{incidentId}_{SystemAlertId}?api-version=2019-01-01-preview
You remove an alert from an incident by deleting the relationship between them. Use the following endpoint to remove an alert from an existing incident. After this request is made, the alert will no longer be connected to or appear in the incident.
You can also list all the alerts that are related to a particular incident, with this endpoint and request:
138
+
139
+
```http
140
+
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/Incidents/{incidentId}/relations?api-version=2019-01-01-preview
141
+
142
+
```
143
+
144
+
### Expected responses
145
+
146
+
Here are the possible response codes and results of these requests:
147
+
148
+
| Code | Response | Result of operation |
149
+
| ------- | ---------- | ------------------- |
150
+
|**204**| No content | Success |
151
+
|**400**| BadRequest | Failed to create relation. Different relation type with name {relationName} already exists in incident {incidentIdentifier}. |
152
+
|**400**| BadRequest | Failed to create relation. Alert {systemAlertId} already exists in incident {incidentIdentifier}. |
153
+
|**400**| BadRequest | Failed to create relation. Related resource and incident should belong to the same workspace. |
154
+
|**400**| BadRequest | Failed to create relation. Microsoft 365 Defender alerts cannot be added to Microsoft 365 Defender incidents. |
155
+
|**400**| BadRequest | Failed to delete relation. Microsoft 365 Defender alerts cannot be removed from Microsoft 365 Defender incidents. |
156
+
|**409**| Conflict | Failed to create relation. Relation with name {relationName} already exists in incident {incidentIdentifier} to different alert {relationAlertId}. |
157
+
|**404**| Not found | Resource '{alertId}' does not exist. |
158
+
|**404**| Not found | Incident doesn’t exist. |
159
+
95
160
## Next steps
96
-
In this article, you learned how to get started investigating incidents using Microsoft Sentinel. For more information, see:
161
+
In this article, you learned how to add alerts to incidents and remove them using the Microsoft Sentinel portal and API. For more information, see:
97
162
98
-
-[Tutorial: Use playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md)
99
-
-[Investigate incidents with UEBA data](investigate-with-ueba.md)
163
+
-[Investigate incidents with Microsoft Sentinel](investigate-cases.md)
164
+
-[Incident relations group in the Microsoft Sentinel REST API](/rest/api/securityinsights/preview/incident-relations)
0 commit comments