How to Assign Azure Sentinel Incidents to AAD Groups

A new Azure Sentinel capability is available that allows you to assign Incidents to groups you have created in Azure Active Directory.

Assign Groups to Incidents

You can see in my image above that I can assign any Incident to a SOC Investigative Analysts or SOC Hunting Analysts group. Just so you don’t go looking and can’t find them in your environment, these are groups that I have created – they don’t exist by default. This capability will take some noodling to determine how you want to segment your team. You may even want to separate them by skillset. For example, you may want a group that’s specific to AAD account compromises, one that is more aligned with understanding how PowerShell can be a potential threat, and one that is comprised of Malware experts, and so on.

Working with groups for Incidents is available in all areas where Incidents can be adjusted including:

  • The Incident panel
  • Bulk Incident actions
  • Incident filter
  • Automation Rules
  • Incidents API


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

[Subscribe to the Bi-Weekly Azure Security Center Newsletter]


Leave a Reply