Corrections from Ely and Mark, What's New

yelevin · yelevin · commit e647d7ca2cd0 · 2022-05-16T12:03:50.000+03:00
diff --git a/articles/sentinel/relate-alerts-to-incidents.md b/articles/sentinel/relate-alerts-to-incidents.md
@@ -5,7 +5,6 @@ author: yelevin
 ms.topic: how-to
 ms.date: 05/12/2022
 ms.author: yelevin
-ms.custom: ignite-fall-2021
 ---
 
 # Relate alerts to incidents in Microsoft Sentinel
@@ -18,7 +17,7 @@ This article shows you how to relate alerts to your incidents in Microsoft Senti
 > Incident expansion is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >
 
-## Expand the scope and the power of incidents
+## Expand the scope and power of your incidents
 
 One thing that this feature allows you to do is to include alerts from one data source in incidents generated by another data source. For example, you can add alerts from Microsoft Defender for Cloud, or from various third-party data sources, to incidents imported into Microsoft Sentinel from Microsoft 365 Defender.
 
@@ -76,19 +75,21 @@ When adding an alert to an incident, depending on the circumstances, you might b
 
     :::image type="content" source="media/relate-alerts-to-incidents/keep-or-close-other-incident.png" alt-text="Screenshot asking whether to keep or close other incident.":::
 
-    - **Keep other incident** preserves the alert in the other incident while also adding it to this one.
+    - **Keep other incident** preserves the other incident as is, while also adding the alert to this one.
 
-    - **Close other incident** adds the alert to this incident but removes it from the other incident, closing that incident in the process.
+    - **Close other incident** adds the alert to this incident and closes the other incident, adding the closing reason "Undetermined" and the comment "Alert was added to another incident" with the open incident's number.
 
-    - **Cancel** leaves the status quo. It keeps the alert in its original incident and does not add it to this one.
+    - **Cancel** leaves the status quo. It makes no changes to either the open incident or any other referenced incident.
 
     Which of these options you choose depends on your particular needs; we don't recommend one choice over the other.
 
 ### Limitations
 
 - Microsoft Sentinel imports both alerts and incidents from Microsoft 365 Defender. For the most part, you can treat these alerts and incidents like regular Microsoft Sentinel alerts and incidents. 
 
-    However, you can only add Defender alerts to Defender incidents (or remove them) in the Defender portal, not in the Sentinel portal. If you try doing this in Microsoft Sentinel, you will get an error message. You can pivot to the incident in the Microsoft 365 Defender portal using the link in the Microsoft Sentinel incident.
+    However, you can only add Defender alerts to Defender incidents (or remove them) in the Defender portal, not in the Sentinel portal. If you try doing this in Microsoft Sentinel, you will get an error message. You can pivot to the incident in the Microsoft 365 Defender portal using the link in the Microsoft Sentinel incident. Don't worry, though - any changes you make to the incident in the Microsoft 365 Defender portal are [synchronized](microsoft-365-defender-sentinel-integration.md#working-with-microsoft-365-defender-incidents-in-microsoft-sentinel-and-bi-directional-sync) with the parallel incident in Microsoft Sentinel, so you'll still see the added alerts in the incident in the Sentinel portal.
+
+    You *can* add Microsoft 365 Defender alerts to non-Defender incidents, and non-Defender alerts to Defender incidents, in the Microsoft Sentinel portal.
 
 - An incident can contain a maximum of 150 alerts. If you try to add an alert to an incident with 150 alerts in it, you will get an error message.
 
@@ -109,16 +110,15 @@ You're not limited to the portal to use this feature. It's also accessible throu
 You add an alert to an incident by creating a relationship between them. Use the following endpoint to add an alert to an existing incident. After this request is made, the alert joins the incident and will be visible in the list of alerts in the incident in the portal.
 
 ```http
-PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/Incidents/{incidentId}/relations/{incidentId}_{SystemAlertId}?api-version=2019-01-01-preview 
-
+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}?api-version=2021-10-01-preview
 ```
 
 The request body looks like this:
 
 ```json
 { 
     "properties": { 
-        "relatedResourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{alertSystemId}" 
+        "relatedResourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{systemAlertId}" 
     } 
 } 
 ```
@@ -128,34 +128,31 @@ The request body looks like this:
 You remove an alert from an incident by deleting the relationship between them. Use the following endpoint to remove an alert from an existing incident. After this request is made, the alert will no longer be connected to or appear in the incident.
 
 ```http
-DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/Incidents/{incidentId}/relations/{incidentId}_{SystemAlertId }?api-version=2019-01-01-preview
-
+DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}?api-version=2021-10-01-preview
 ```
 
 ### List alert relationships
 
 You can also list all the alerts that are related to a particular incident, with this endpoint and request:
 
 ```http
-GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/Incidents/{incidentId}/relations?api-version=2019-01-01-preview
-
+GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations?api-version=2021-10-01-preview
 ```
 
-### Expected responses
-
-Here are the possible response codes and results of these requests:
-
-| Code    | Response   | Result of operation |
-| ------- | ---------- | ------------------- |
-| **204** | No content | Success             |
-| **400** | BadRequest | Failed to create relation. Different relation type with name {relationName} already exists in incident {incidentIdentifier}. |
-| **400** | BadRequest | Failed to create relation. Alert {systemAlertId} already exists in incident {incidentIdentifier}. |
-| **400** | BadRequest | Failed to create relation. Related resource and incident should belong to the same workspace. |
-| **400** | BadRequest | Failed to create relation. Microsoft 365 Defender alerts cannot be added to Microsoft 365 Defender incidents. |
-| **400** | BadRequest | Failed to delete relation. Microsoft 365 Defender alerts cannot be removed from Microsoft 365 Defender incidents. |
-| **409** | Conflict   | Failed to create relation. Relation with name {relationName} already exists in incident {incidentIdentifier} to different alert {relationAlertId}. |
-| **404** | Not found  | Resource '{alertId}' does not exist. |
-| **404** | Not found  | Incident doesn’t exist. |
+### Specific error codes
+
+The [general API documentation](/rest/api/securityinsights/preview/incident-relations) lists expected response codes for the [Create](/rest/api/securityinsights/preview/incident-relations/create-or-update#response), [Delete](/rest/api/securityinsights/preview/incident-relations/delete#response), and [List](/rest/api/securityinsights/preview/incident-relations/list#response) operations mentioned above. Error codes are only mentioned there as a general category. Here are the possible specific error codes and messages listed there under the category of "Other Status Codes":
+
+| Code    | Message |
+| ------- | ------------------------------------------- |
+| **400 Bad Request** | Failed to create relation. Different relation type with name {relationName} already exists in incident {incidentIdentifier}. |
+| **400 Bad Request** | Failed to create relation. Alert {systemAlertId} already exists in incident {incidentIdentifier}. |
+| **400 Bad Request** | Failed to create relation. Related resource and incident should belong to the same workspace. |
+| **400 Bad Request** | Failed to create relation. Microsoft 365 Defender alerts cannot be added to Microsoft 365 Defender incidents. |
+| **400 Bad Request** | Failed to delete relation. Microsoft 365 Defender alerts cannot be removed from Microsoft 365 Defender incidents. |
+| **404 Not found**   | Resource '{systemAlertId}' does not exist.        |
+| **404 Not found**   | Incident doesn’t exist.                           |
+| **409 Conflict**    | Failed to create relation. Relation with name {relationName} already exists in incident {incidentIdentifier} to different alert {systemAlertId}. |
 
 ## Next steps
 In this article, you learned how to add alerts to incidents and remove them using the Microsoft Sentinel portal and API. For more information, see:
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -29,16 +29,24 @@ If you're looking for items older than six months, you'll find them in the [Arch
 
 ## May 2022
 
-- [Relate alerts to incidents](#relate-alerts-to-incidents)
-- [Similar incidents](#similar-incidents)
+- [Relate alerts to incidents](#relate-alerts-to-incidents-preview)
+- [Similar incidents](#similar-incidents-preview)
 
-### Relate alerts to incidents
+### Relate alerts to incidents (Preview)
 
-### Similar incidents
+You can now add alerts to, or remove alerts from, existing incidents, either manually or automatically, as part of your investigation processes. This allows you to refine the incident scope as the investigation unfolds. For example, relate Microsoft Defender for Cloud alerts, or alerts from third-party products, to incidents synchronized from Microsoft 365 Defender. Use this feature from the investigation graph, the API, or through automation playbooks.
 
-## April 2022
+Learn more about [relating alerts to incidents](relate-alerts-to-incidents.md).
 
+### Similar incidents (Preview)
 
+When triaging or investigating an incident, the context of the entirety of incidents in your SOC can be extremely useful. For example, other incidents involving the same entities can represent useful context that will allow you to reach the right decision faster. Now there's a new tab in the incident page that lists other incidents that are similar to the incident you are investigating. Some common use cases for using similar incidents are:
+
+- Finding other incidents that might be part of a larger attack story.
+- Using a similar incident as a reference for incident handling. The way the previous incident was handled can act as a guide for handling the current one.
+- Finding relevant people in your SOC that have handled similar incidents for guidance or consult.
+
+Learn more about [similar incidents](investigate-cases.md#similar-incidents-preview).
 
 ## March 2022
 
