You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/create-incidents-from-alerts.md
+28-20Lines changed: 28 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,47 +19,55 @@ You can easily configure Microsoft Sentinel to automatically create incidents ev
19
19
> - Enabled [**Microsoft Defender XDR incident integration**](microsoft-365-defender-sentinel-integration.md), or
20
20
> - Onboarded Microsoft Sentinel to the [**unified security operations platform**](microsoft-sentinel-defender-portal.md).
21
21
>
22
-
> In these scenarios, Microsoft Defender XDR creates incidents from alerts generated in Microsoft services.
22
+
> In these scenarios, Microsoft Defender XDR [creates incidents from alerts](/defender-xdr/alerts-incidents-correlation) generated in Microsoft services.
23
23
24
24
## Prerequisites
25
25
26
26
Connect your security solution by installing the appropriate solution from the **Content Hub** in Microsoft Sentinel and setting up the data connector. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md) and [Microsoft Sentinel data connectors](connect-data-sources.md).
27
27
28
-
## Using Microsoft Security incident creation analytics rules
28
+
## Enable automatic incident generation in data connector
29
29
30
-
Use the rule templates available in Microsoft Sentinel to choose which connected Microsoft security solutions should create Microsoft Sentinel incidents automatically. You can also edit the rules to define more specific options for filtering which of the alerts generated by the Microsoft security solution should create incidents in Microsoft Sentinel. For example, you can choose to create Microsoft Sentinel incidents automatically only from high-severity Microsoft Defender for Cloud alerts.
30
+
The most direct way to automatically create incidents from alerts generated from Microsoft security solutions is to configure the solution's data connector to create incidents:
31
31
32
-
1.In the Azure portal under Microsoft Sentinel, select **Analytics**.
32
+
1.Connect a Microsoft security solution data source.
33
33
34
-
1. Select the **Rule templates** tab to see all of the analytics rule templates. To find more rule templates, go to the **Content hub** in Microsoft Sentinel.
34
+
:::image type="content" source="media/incidents-from-alerts/generate-security-incidents.png" alt-text="Screenshot of data connector configuration screen." lightbox="media/incidents-from-alerts/generate-security-incidents.png":::
1. Under **Create incidents – Recommended**, select **Enable** to enable the default analytics rule that creates incidents automatically fromalerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
37
37
38
-
1. Choose the **Microsoft security** analytics rule template that you want to use, and select **Create rule**.
38
+
## Create incident creation rules from a Microsoft Security template
Microsoft Sentinel provides ready-made rule templates to create Microsoft Security rules. Each Microsoft source solution has its own template. For example, there's one for Microsoft Defender for Endpoint, one for Microsoft Defender for Cloud, and so on. Create a rule from each template that corresponds with the solutions in your environment, for which you want to create incidents automatically. Modify the rules to define more specific options for filtering which alerts should result in incidents. For example, you can choose to create Microsoft Sentinel incidents automatically only from high-severity alerts from Microsoft Defender for Identity.
41
41
42
-
1. You can modify the rule details, and choose to filter the alerts that will create incidents by alert severity or by text contained in the alert’s name.
43
-
44
-
For example, if you choose **Microsoft Defender for Cloud** in the **Microsoft security service** field and choose **High** in the **Filter by severity** field, only high severity security alerts will automatically create incidents in Microsoft Sentinel.
42
+
1. From the Microsoft Sentinel navigation menu, under **Configuration**, select **Analytics**.
1. Select the **Rule templates** tab to see all of the analytics rule templates. To find more rule templates, go to the **Content hub** in Microsoft Sentinel.
47
45
48
-
1. You can also create a new **Microsoft security** rule that filters alerts from different Microsoft security services by clicking on **+Create** and selecting **Microsoft incident creation rule**.
46
+
:::image type="content" source="media/incidents-from-alerts/rule-templates.png" alt-text="Screenshot of rule templates list in Analytics page." lightbox="media/incidents-from-alerts/rule-templates.png":::
1. Filter the list for the **Microsoft security**rule type to see the analytics rule templates for creating incidentsfrom Microsoft alerts.
51
49
52
-
You can create more than one **Microsoft Security** analytics rule per **Microsoft security service**type. This does not create duplicate incidents, since each rule is used as a filter. Even if an alert matches more than one **Microsoft Security** analytics rule, it creates just one Microsoft Sentinel incident.
50
+
:::image type="content" source="media/incidents-from-alerts/security-analytics-rule.png" alt-text="Screenshot of Microsoft security rule templates list.":::
53
51
54
-
## Enable incident generation automatically during connection
52
+
1. Select the rule template for the alert source for which you want to create incidents. Then, in the details pane, select **Create rule**.
55
53
56
-
When you connect a Microsoft security solution, you can select whether you want the alerts from the security solution to automatically generate incidents in Microsoft Sentinel automatically.
54
+
:::image type="content" source="media/incidents-from-alerts/rule-template-details.png" alt-text="Screenshot of rule template details panel.":::
57
55
58
-
1. Connect a Microsoft security solution data source.
56
+
1. Modify the rule details, filtering the alerts that will create incidents by alert severity or by text contained in the alert’s name.
57
+
58
+
For example, if you choose **Microsoft Defender for Identity** in the **Microsoft security service** field and choose **High** in the **Filter by severity** field, only high severity security alerts will automatically create incidents in Microsoft Sentinel.
59
+
60
+
:::image type="content" source="media/incidents-from-alerts/create-rule-wizard.png" alt-text="Screenshot of rule creation wizard.":::
61
+
62
+
1. Like with other types of analytics rules, select the **Automated response** tab to define [automation rules](create-manage-use-automation-rules.md) that run when incidents are created by this rule.
63
+
64
+
## Create incident creation rules from scratch
65
+
66
+
You can also create a new **Microsoft security** rule that filters alerts from different Microsoft security services. On the **Analytics** page, select **Create > Microsoft incident creation rule**.
:::image type="content" source="media/incidents-from-alerts/incident-creation-rule.png" alt-text="Screenshot of creating a Microsoft Security rule on the Analytics page.":::
61
69
62
-
1. Under **Create incidents** select **Enable**to enable the default analytics rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under **Analytics** and then **Active rules**.
70
+
You can create more than one **Microsoft Security** analytics rule per **Microsoft security service** type. This does not create duplicate incidents if you apply filters on each rule that exclude each other.
0 commit comments