Merge pull request #282185 from yelevin/yelevin/incident-creation-exception

prmerger-automator[bot] · web-flow · commit 92a21e256a0d · 2024-07-30T21:01:57.000Z
Incident creation IRM exception
diff --git a/articles/sentinel/create-incidents-from-alerts.md b/articles/sentinel/create-incidents-from-alerts.md
@@ -20,6 +20,8 @@ You can easily configure Microsoft Sentinel to automatically create incidents ev
 > - Onboarded Microsoft Sentinel to the [**unified security operations platform**](microsoft-sentinel-defender-portal.md).
 >
 > In these scenarios, Microsoft Defender XDR [creates incidents from alerts](/defender-xdr/alerts-incidents-correlation) generated in Microsoft services.
+>
+> If you use incident creation rules for other Microsoft security solutions or products not integrated into Defender XDR, such as Microsoft Purview Insider Risk Management, and you plan to onboard to the unified security operations platform in the Defender portal, replace your incident creation rules with [scheduled analytics rules](scheduled-rules-overview.md).
 
 ## Prerequisites
 
diff --git a/articles/sentinel/microsoft-365-defender-sentinel-integration.md b/articles/sentinel/microsoft-365-defender-sentinel-integration.md
@@ -127,7 +127,7 @@ To avoid creating *duplicate incidents for the same alerts*, the **Microsoft inc
 
 - After you enable the Defender XDR connector, you can no longer predetermine the titles of incidents. The Defender XDR correlation engine presides over incident creation and automatically names the incidents it creates. This change is liable to affect any automation rules you created that use the incident name as a condition. To avoid this pitfall, use criteria other than the incident name as conditions for [triggering automation rules](automate-incident-handling-with-automation-rules.md#conditions). We recommend using *tags*.
 
-- If you use Microsoft Sentinel's incident creation rules for other Microsoft security solutions or products not integrated into Defender XDR, such as Microsoft Purview Insider Risk Management, and you plan to onboard to the unified security operations platform in the Defender portal, replace your incident creation rules with [scheduled analytic rules](create-analytics-rule-from-template.md).
+- If you use Microsoft Sentinel's incident creation rules for other Microsoft security solutions or products not integrated into Defender XDR, such as Microsoft Purview Insider Risk Management, and you plan to onboard to the unified security operations platform in the Defender portal, replace your incident creation rules with [scheduled analytics rules](scheduled-rules-overview.md).
 
 ## Working with Microsoft Defender XDR incidents in Microsoft Sentinel and bi-directional sync
 

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ You can easily configure Microsoft Sentinel to automatically create incidents ev`
`20`	`20`	`> - Onboarded Microsoft Sentinel to the [unified security operations platform](microsoft-sentinel-defender-portal.md).`
`21`	`21`	`>`
`22`	`22`	`> In these scenarios, Microsoft Defender XDR [creates incidents from alerts](/defender-xdr/alerts-incidents-correlation) generated in Microsoft services.`
	`23`	`+>`
	`24`	`+> If you use incident creation rules for other Microsoft security solutions or products not integrated into Defender XDR, such as Microsoft Purview Insider Risk Management, and you plan to onboard to the unified security operations platform in the Defender portal, replace your incident creation rules with [scheduled analytics rules](scheduled-rules-overview.md).`
`23`	`25`
`24`	`26`	`## Prerequisites`
`25`	`27`