Add Entity to existing Incident

[FormindGMO]

Is your feature request related to a problem? Please describe. When investigating an incident, we can find new items related to incident that can be useful to analyse.respond to/pivot against when new incidents will occur.

Describe the solution you'd like

• Having a buttun in Entities section of an incident to add new Entity, adding a right pane form asking for entity Type and associated entity
• Having also Logic App action to add it directly with automation.

Describe alternatives you've considered Workaround :

• Adding new alerts associated with hardcoded Entities and forced linked to this incident. Any ideas could be greatly appreciated.

Additional context None.

[v-sudkharat]

Hi @FormindGMO, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 12-07-2024. Thanks!

[v-sudkharat]

Hey @FormindGMO, Could you please provide more details about the issue your facing, it would be great if you could attach screenshots as well. It helps us to investigate on it. Thanks!

[FormindGMO]

Hello! thanks for fast reply. It's not an issue but rather a feature request. Let's illustrate w/ an example. Assuming an incident of a computer having a malware that was run on it. In this incident we can assume that we had FileHash entity pre-positioned, and targeted host.

Analyzing targeted host, we can see that malware reached Command&Control 1.2.3.4. I want to :

• Add for the record this new finding in Sentinel incident with new IP Entity
• Enabling this can maybe leverage other playbooks (like : IP blockage on Firewall)
• And if in the future, other incidents spawns having this IP as Entity, it's linked in Sentinel Investigation tab, which is very useful for historical analysis.

So my feature could be to manually (or via Logic Apps) add entity to Incidents.