You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-link-to-incident.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ f1.keywords:
9
9
ms.author: pauloliveria
10
10
author: poliveria
11
11
ms.localizationpriority: medium
12
-
manager: dansimp
12
+
manager: orspodek
13
13
audience: ITPro
14
14
ms.collection:
15
15
- m365-security
@@ -22,7 +22,7 @@ appliesto:
22
22
- Microsoft Defender XDR
23
23
- Microsoft Sentinel in the Microsoft Defender portal
24
24
ms.topic: how-to
25
-
ms.date: 03/28/2025
25
+
ms.date: 12/02/2025
26
26
---
27
27
28
28
# Link query results to an incident
@@ -32,7 +32,11 @@ ms.date: 03/28/2025
32
32
33
33
34
34
35
-
You can use the link to incident feature to add advanced hunting query results to a new or existing incident under investigation. This feature helps you easily capture records from advanced hunting activities, which enables you to create a richer timeline or context of events regarding an incident.
35
+
Use the link to incident feature to add advanced hunting query results to a new or existing incident under investigation. This feature helps you easily capture records from advanced hunting activities, which enables you to create a richer timeline or context of events regarding an incident.
36
+
37
+
## Required permissions for linking incidents
38
+
39
+
To link query results to an incident, you need the same permissions required for managing custom detections. For more information, see [Create custom detection rules](custom-detection-rules.md#required-permissions-for-managing-custom-detections).
36
40
37
41
## Link results to new or existing incidents
38
42
@@ -95,7 +99,7 @@ You can use the link to incident feature to add advanced hunting query results t
95
99
7. Review the details you've provided in the Summary section.
96
100
8. Select **Done**.
97
101
98
-
###View linked records in the incident
102
+
## View linked records in the incident
99
103
100
104
You can select the generated link from the summary step of the wizard or select the incident name from the incident queue, to view the incident to which the events are linked.
101
105
@@ -108,7 +112,7 @@ You can also select the event from the timeline view or from the query results v
108
112
109
113
:::image type="content" source="/defender/media/advanced-hunting-results-link8.png" alt-text="Screenshot of the incident page in the Microsoft Defender portal." lightbox="/defender/media/advanced-hunting-results-link8.png":::
110
114
111
-
###Filter for events added using advanced hunting
115
+
## Filter for events added using advanced hunting
112
116
113
117
You can view which alerts were generated from advanced hunting by filtering incidents and alerts by **Manual** detection source.
![m365-skilling-repo-management[bot]](https://avatars.githubusercontent.com/in/1161012?v=4&size=40){kind=avatar}
0 commit comments