MicrosoftDocs
diff --git a/‎articles/sentinel/create-incidents-from-alerts.md
Lines changed: 34 additions & 20 deletions b/‎articles/sentinel/create-incidents-from-alerts.md
Lines changed: 34 additions & 20 deletions
diff --git a/‎articles/sentinel/media/incidents-from-alerts/create-rule-wizard.png
3.08 KB b/‎articles/sentinel/media/incidents-from-alerts/create-rule-wizard.png
3.08 KB
diff --git a/‎articles/sentinel/media/incidents-from-alerts/generate-security-incidents.png
-101 KB b/‎articles/sentinel/media/incidents-from-alerts/generate-security-incidents.png
-101 KB
diff --git a/‎articles/sentinel/media/incidents-from-alerts/incident-creation-rule.png
-165 KB b/‎articles/sentinel/media/incidents-from-alerts/incident-creation-rule.png
-165 KB
diff --git a/‎articles/sentinel/media/incidents-from-alerts/rule-template-details.png
37.6 KB b/‎articles/sentinel/media/incidents-from-alerts/rule-template-details.png
37.6 KB
diff --git a/‎articles/sentinel/media/incidents-from-alerts/rule-templates-alt.png
89.5 KB b/‎articles/sentinel/media/incidents-from-alerts/rule-templates-alt.png
89.5 KB
diff --git a/‎articles/sentinel/media/incidents-from-alerts/rule-templates.png
43.8 KB b/‎articles/sentinel/media/incidents-from-alerts/rule-templates.png
43.8 KB
diff --git a/‎articles/sentinel/media/incidents-from-alerts/security-analytics-rule.png
-172 KB b/‎articles/sentinel/media/incidents-from-alerts/security-analytics-rule.png
-172 KB
@@ -19,47 +19,61 @@ You can easily configure Microsoft Sentinel to automatically create incidents ev
 > - Enabled [**Microsoft Defender XDR incident integration**](microsoft-365-defender-sentinel-integration.md), or 
 > - Onboarded Microsoft Sentinel to the [**unified security operations platform**](microsoft-sentinel-defender-portal.md).
 >
-> In these scenarios, Microsoft Defender XDR creates incidents from alerts generated in Microsoft services.
+> In these scenarios, Microsoft Defender XDR [creates incidents from alerts](/defender-xdr/alerts-incidents-correlation) generated in Microsoft services.
 
 ## Prerequisites
 
 Connect your security solution by installing the appropriate solution from the **Content Hub** in Microsoft Sentinel and setting up the data connector. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md) and [Microsoft Sentinel data connectors](connect-data-sources.md).
 
-## Using Microsoft Security incident creation analytics rules
+## Enable automatic incident generation in data connector
 
-Use the rule templates available in Microsoft Sentinel to choose which connected Microsoft security solutions should create Microsoft Sentinel incidents automatically. You can also edit the rules to define more specific options for filtering which of the alerts generated by the Microsoft security solution should create incidents in Microsoft Sentinel. For example, you can choose to create Microsoft Sentinel incidents automatically only from high-severity Microsoft Defender for Cloud alerts.
+The most direct way to automatically create incidents from alerts generated from Microsoft security solutions is to configure the solution's data connector to create incidents:
 
-1. In the Azure portal under Microsoft Sentinel, select **Analytics**.
+1. Connect a Microsoft security solution data source. 
 
-1. Select the **Rule templates** tab to see all of the analytics rule templates. To find more rule templates, go to the **Content hub** in Microsoft Sentinel.
+    :::image type="content" source="media/incidents-from-alerts/generate-security-incidents.png" alt-text="Screenshot of data connector configuration screen." lightbox="media/incidents-from-alerts/generate-security-incidents.png":::
 
-    ![Rule templates](media/incidents-from-alerts/rule-templates.png)
+1. Under **Create incidents &ndash; Recommended**, select **Enable** to enable the default analytics rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
 
-1. Choose the **Microsoft security** analytics rule template that you want to use, and select  **Create rule**.
+   > [!IMPORTANT]
+   >
+   > If you don't see this section as shown, you most likely have enabled incident integration in your Microsoft Defender XDR connector, or you have onboarded Microsoft Sentinel to the unified security operations platform in the Microsoft Defender portal.
+   >
+   > In either case, this article does not apply to your environment, since your incidents are created by the Microsoft Defender correlation engine instead of by Microsoft Sentinel.
 
-    ![Security analytics rule](media/incidents-from-alerts/security-analytics-rule.png)
+## Create incident creation rules from a Microsoft Security template
 
-1. You can modify the rule details, and choose to filter the alerts that will create incidents by alert severity or by text contained in the alert’s name.  
-      
-    For example, if you choose **Microsoft Defender for Cloud** in the **Microsoft security service** field and choose **High** in the **Filter by severity** field, only high severity security alerts will automatically create incidents in Microsoft Sentinel.  
+Microsoft Sentinel provides ready-made rule templates to create Microsoft Security rules. Each Microsoft source solution has its own template. For example, there's one for Microsoft Defender for Endpoint, one for Microsoft Defender for Cloud, and so on. Create a rule from each template that corresponds with the solutions in your environment, for which you want to create incidents automatically. Modify the rules to define more specific options for filtering which alerts should result in incidents. For example, you can choose to create Microsoft Sentinel incidents automatically only from high-severity alerts from Microsoft Defender for Identity.
 
-    ![Create rule wizard](media/incidents-from-alerts/create-rule-wizard.png)
+1. From the Microsoft Sentinel navigation menu, under **Configuration**, select **Analytics**.
 
-1. You can also create a new **Microsoft security** rule that filters alerts from different Microsoft security services by clicking on **+Create** and selecting **Microsoft incident creation rule**.
+1. Select the **Rule templates** tab to see all of the analytics rule templates. To find more rule templates, go to the **Content hub** in Microsoft Sentinel.
 
-    ![Incident creation rule](media/incidents-from-alerts/incident-creation-rule.png)
+    :::image type="content" source="media/incidents-from-alerts/rule-templates.png" alt-text="Screenshot of rule templates list in Analytics page." lightbox="media/incidents-from-alerts/rule-templates.png":::
 
-    You can create more than one **Microsoft Security** analytics rule per **Microsoft security service** type. This does not create duplicate incidents, since each rule is used as a filter. Even if an alert matches more than one **Microsoft Security** analytics rule, it creates just one Microsoft Sentinel incident.
+1. Filter the list for the **Microsoft security** rule type to see the analytics rule templates for creating incidents from Microsoft alerts.
 
-## Enable incident generation automatically during connection
+    :::image type="content" source="media/incidents-from-alerts/security-analytics-rule.png" alt-text="Screenshot of Microsoft security rule templates list.":::
 
-When you connect a Microsoft security solution, you can select whether you want the alerts from the security solution to automatically generate incidents in Microsoft Sentinel automatically.
+1. Select the rule template for the alert source for which you want to create incidents. Then, in the details pane, select **Create rule**.
 
-1. Connect a Microsoft security solution data source. 
+    :::image type="content" source="media/incidents-from-alerts/rule-template-details.png" alt-text="Screenshot of rule template details panel.":::
+
+1. Modify the rule details, filtering the alerts that will create incidents by alert severity or by text contained in the alert’s name.  
+      
+    For example, if you choose **Microsoft Defender for Identity** in the **Microsoft security service** field and choose **High** in the **Filter by severity** field, only high severity security alerts will automatically create incidents in Microsoft Sentinel.
+
+    :::image type="content" source="media/incidents-from-alerts/create-rule-wizard.png" alt-text="Screenshot of rule creation wizard.":::
+
+1. Like with other types of analytics rules, select the **Automated response** tab to define [automation rules](create-manage-use-automation-rules.md) that run when incidents are created by this rule.
+
+## Create incident creation rules from scratch
+
+You can also create a new **Microsoft security** rule that filters alerts from different Microsoft security services. On the **Analytics** page, select **Create > Microsoft incident creation rule**.
 
-   ![Generate security incidents](media/incidents-from-alerts/generate-security-incidents.png)
+:::image type="content" source="media/incidents-from-alerts/incident-creation-rule.png" alt-text="Screenshot of creating a Microsoft Security rule on the Analytics page.":::
 
-1. Under **Create incidents** select **Enable** to enable the default analytics rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
+You can create more than one **Microsoft Security** analytics rule per **Microsoft security service** type. This does not create duplicate incidents if you apply filters on each rule that exclude each other.
 
 ## Next steps