After a Microsoft Graph Security API alert has been ingested, a security incident is created and the corresponding updates are made to the security incident record.

Worknotes

If you had selected the Log work note for new alert option in the alert Aggregation Criteria as described in the Mapping alerts to security incident response fields, a worknote is posted when the alert is aggregated.


Microsoft Graph Security API: Log worknote

Click on the alert link to navigate to the internal alert import record that contains raw alert data.


Microsoft Graph Security API Alert Import Record

Aggregated alerts

Click Related Lists > Aggregated Microsoft Graph Security alerts to view the alerts aggregated to the security incident.


Microsoft Graph Security API: aggregated alerts
  • Create security incident: Select an alert from the list, click the Actions menu and click Create security incident. This option creates a new security incident for the alert and this alert is de-aggregated from the parent security incident.
  • Delete alert record: Select an alert from the list, click the Actions menu and click Delete. This option deletes the alert record.