You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/create-manage-use-automation-rules.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,7 @@ In this article you'll learn how to define the triggers and conditions that will
23
23
24
24
### Determine the scope
25
25
26
-
The first step in designing and defining your automation rule is figuring out which incidents (or alerts, in preview) you want it to apply to. This determination will directly impact how you create the rule.
26
+
The first step in designing and defining your automation rule is figuring out which incidents (or alerts) you want it to apply to. This determination will directly impact how you create the rule.
27
27
28
28
You also want to determine your use case. What are you trying to accomplish with this automation? Consider the following options:
29
29
@@ -34,21 +34,21 @@ You also want to determine your use case. What are you trying to accomplish with
34
34
- Escalate an incident by assigning a new owner.
35
35
- Close resolved incidents, specifying a reason and adding comments.
36
36
- Analyze the incident's contents (alerts, entities, and other properties) and take further action by calling a playbook.
37
-
-(**Preview**) Handle or respond to an alert without an associated incident.
37
+
- Handle or respond to an alert without an associated incident.
38
38
39
39
### Determine the trigger
40
40
41
41
Do you want this automation to be activated when new incidents (or alerts, in preview) are created? Or anytime an incident gets updated?
42
42
43
-
Automation rules are triggered **when an incident is created or updated**(the update trigger is now in **Preview**) or **when an alert is created** (also in **Preview**). Recall that incidents include alerts, and that both alerts and incidents are created by analytics rules, of which there are several types, as explained in [Detect threats with built-in analytics rules in Microsoft Sentinel](detect-threats-built-in.md).
43
+
Automation rules are triggered **when an incident is created or updated** or **when an alert is created**. Recall that incidents include alerts, and that both alerts and incidents are created by analytics rules, of which there are several types, as explained in [Detect threats with built-in analytics rules in Microsoft Sentinel](detect-threats-built-in.md).
44
44
45
45
The following table shows the different possible scenarios that will cause an automation rule to run.
46
46
47
47
| Trigger type | Events that cause the rule to run |
48
48
| --------- | ------------ |
49
49
|**When incident is created**| - A new incident is created by an analytics rule.<br>- An incident is ingested from Microsoft 365 Defender.<br>- A new incident is created manually. |
50
-
|**When incident is updated**<br>(Preview)| - An incident's status is changed (closed/reopened/triaged).<br>- An incident's owner is assigned or changed.<br>- An incident's severity is raised or lowered.<br>- Alerts are added to an incident.<br>- Comments, tags, or tactics are added to an incident. |
51
-
| **When alert is created**<br>(Preview) | - An alert is created by a scheduled analytics rule.
50
+
|**When incident is updated**<br> | - An incident's status is changed (closed/reopened/triaged).<br>- An incident's owner is assigned or changed.<br>- An incident's severity is raised or lowered.<br>- Alerts are added to an incident.<br>- Comments, tags, or tactics are added to an incident. |
51
+
| **When alert is created**<br> | - An alert is created by a scheduled analytics rule.
52
52
53
53
## Create your automation rule
54
54
@@ -69,7 +69,7 @@ Most of the following instructions apply to any and all use cases for which you'
69
69
70
70
### Choose your trigger
71
71
72
-
From the **Trigger** drop-down, select **When incident is created**, **When incident is updated (Preview)**, or **When alert is created (Preview)**, according to what you decided when designing your rule.
72
+
From the **Trigger** drop-down, select **When incident is created**, **When incident is updated**, or **When alert is created**, according to what you decided when designing your rule.
73
73
74
74
:::image type="content" source="media/create-manage-use-automation-rules/select-trigger.png" alt-text="Screenshot of selecting the incident create or incident update trigger.":::
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments