No incident triggered in Azure Sentinel

Malhotra, GurupreetSingh 11 Reputation points

No incident triggered in Azure Sentinel, however there are Security Events observed. Kindly suggest what settings can be checked.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
707 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 24,231 Reputation points Microsoft Employee

    A few things to check:

    • Check that the analytics rules are set to create Incidents and not just alerts and that Incidents are set to "Enabled"


    • Make sure that the time range in the Incidents blade includes the time range when the incidents occurred.
    • Try this query to see what emerges: SecurityAlert
      | where TimeGenerated > ago(1d)
      | distinct DisplayName
    1 person found this answer helpful.