What's New: Tags column is now available in Azure Sentinel incidents page!

Question

Hello everyone, 
We are happy to share with you a small but important improvement we added to our incidents blade – a new tag column is now available as part of the Incidents list!
&nbsp;
Tags are an integral part of the triaging process so we are now exposing them in a new column of the incident list. This improvement allows users to get informed about the tags that are related to the incidents without having to pivot to the incident preview page or full details. Every second counts, right?&nbsp;
&nbsp;

&nbsp;
&nbsp;
&nbsp;

paolo1490 · Answer

Hi&nbsp;Cristhofer Munoz&nbsp;is it possible to search for these tags via KQL?&nbsp;Specifically I am running a search of security incidents this year, and I would like to 'not' include any tickets with an 'auto close' tag. This would provide me with a list and number of tickets by 'humans' in my team rather than including ones closed by playbooks and automation etc.&nbsp;Cheers.

clive_watson · Answer

Labels == TagsSecurityIncident| extend Tags = parse_json(Labels)| extend labelName_ = tostring(Tags[0].labelName)| where isnotempty(labelName_)

jaymcc510 · Answer

great

patclementine · Answer

Clive_Watson&nbsp;Hi CliveI was reading though the documentation on how to create a Sentinel Incident with API but unfortunately I am not able to add labels/tags while creating a Sentinel Incident Manually with API Payload&nbsp;any suggestions I could try?

gbushey · Answer

They are referred to as "labels" in the REST API documentation.  I have an example with them in my Sentinel development EBook: https://garybushey.com/2023/11/27/programming-book-version-1-0-finally-ready/

Forum Discussion

What's New: Tags column is now available in Azure Sentinel incidents page!

Share

Resources