An Incident Internal Activity enables you to mail and/or attach information from the Sentinel database to the incident associated with the workflow process. Each of these options has a prerequisite:
Vulnerability for the Source IP address (SIP) or the Destination IP address (DIP): This requires that you run a vulnerability scanner and bring the results of the scan into Sentinel using a Vulnerability (or "information") Collector
Advisor attack-related data: This requires the purchase and installation of the optional Advisor data subscription service.
Asset data: This requires that you run an asset management tool such as NMAP and bring the results into Sentinel using an Asset Collector.