No incident triggered in Azure Sentinel

Malhotra, GurupreetSingh 31 Reputation points
2021-03-04T14:00:08.153+00:00

No incident triggered in Azure Sentinel, however there are Security Events observed. Kindly suggest what settings can be checked.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,134 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,846 Reputation points Microsoft Employee
    2021-03-04T21:28:54.1+00:00

    A few things to check:

    • Check that the analytics rules are set to create Incidents and not just alerts and that Incidents are set to "Enabled"

    74524-image.png

    • Make sure that the time range in the Incidents blade includes the time range when the incidents occurred.
    • Try this query to see what emerges: SecurityAlert
      | where TimeGenerated > ago(1d)
      | distinct DisplayName
    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.