question

HUIACE-4516 avatar image
0 Votes"
HUIACE-4516 asked MarileeTurscak-MSFT answered

sentinel incident and alert

hi community nice folks

I am new to sentinel, so I have a quick questions, is it possible to have zero alert and and many incidents? cuz to my understanding incidents are made up of one or many alerts. but today at my portal I see zero alert and many incidents

Cheers
zzzz

azure-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Though incidents are usually generated from alerts, it is possible to generate incidents without any alerts. An incident can be generated without an alert, but an alert cannot be generated without an incident. There is a script here that shows how to create an incident without an alert.

One reason to create an incident without an alert would be to store an incident from an external source that hasn't been integrated with Azure Sentinel yet. (There is a blog post here that discusses this concept in detail.)


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.