Automatically create incidents from Microsoft security alerts

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

Alerts triggered in Microsoft security solutions that are connected to Microsoft Sentinel, such as Microsoft Defender for Cloud Apps and Microsoft Defender for Identity (formerly Azure ATP), do not automatically create incidents in Microsoft Sentinel. By default, when you connect a Microsoft solution to Microsoft Sentinel, any alert generated in that service will be stored as raw data in Microsoft Sentinel, in the Security Alert table in your Microsoft Sentinel workspace. You can then use that data like any other raw data you connect into Microsoft Sentinel.

You can easily configure Microsoft Sentinel to automatically create incidents every time an alert is triggered in a connected Microsoft security solution, by following the instructions in this article.

Prerequisites

You must connect Microsoft security solutions to enable incident creation from security service alerts.

Using Microsoft Security incident creation analytics rules

Use the built-in rules available in Microsoft Sentinel to choose which connected Microsoft security solutions should create Microsoft Sentinel incidents automatically in real time. You can also edit the rules to define more specific options for filtering which of the alerts generated by the Microsoft security solution should create incidents in Microsoft Sentinel. For example, you can choose to create Microsoft Sentinel incidents automatically only from high-severity Microsoft Defender for Cloud (formerly Azure Security Center) alerts.

  1. In the Azure portal under Microsoft Sentinel, select Analytics.

  2. Select the Rule templates tab to see all of the built-in analytics rules.

    Rule templates

  3. Choose the Microsoft security analytics rule template that you want to use, and select Create rule.

    Security analytics rule

  4. You can modify the rule details, and choose to filter the alerts that will create incidents by alert severity or by text contained in the alert’s name.

    For example, if you choose Microsoft Defender for Cloud (may still be called Microsoft Defender for Cloud) in the Microsoft security service field and choose High in the Filter by severity field, only high severity security alerts will automatically create incidents in Microsoft Sentinel.

    Create rule wizard

  5. You can also create a new Microsoft security rule that filters alerts from different Microsoft security services by clicking on +Create and selecting Microsoft incident creation rule.

    Incident creation rule

    You can create more than one Microsoft Security analytics rule per Microsoft security service type. This does not create duplicate incidents, since each rule is used as a filter. Even if an alert matches more than one Microsoft Security analytics rule, it creates just one Microsoft Sentinel incident.

Enable incident generation automatically during connection

When you connect a Microsoft security solution, you can select whether you want the alerts from the security solution to automatically generate incidents in Microsoft Sentinel automatically.

  1. Connect a Microsoft security solution data source.

    Generate security incidents

  2. Under Create incidents select Enable to enable the default analytics rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under Analytics and then Active rules.

Next steps