Forum Discussion

akefallonitis's avatar
akefallonitis
Brass Contributor
Apr 24, 2020

AlertName aggregation

Hi,

 

Is there a way to aggregate AlertName in a second layer correlation rule and/or pass it as a parameter in the AlertName?

 

Thanks in advance

    • akefallonitis's avatar
      akefallonitis
      Brass Contributor

      AdiGrio

       

      Hey and thanks for your response.

       

       I have for example a catch all scheduled rule for example for WDATP name "WDATP - Catch All" is there a way to aggregate the AlerName of the WDATP alerts to the scheduled rule name or pass it as a parameter? Because now when the scheduled ruled triggered regardless the name of the alert i always get "WDATP - Catch All".

       

      This is crucial in order to have layers of rules for correlated events as to be able to aggregate fields and pass the to all levels of correlation rules like in a traditional SIEM.

      As far as i understand for now this is not possible and the only fields that can be aggregated for now are the CustomEntities fields only (IP, HOST, ACCOUNT, URL)

       

      Also it is needed in an MSSP enviroment with Multi Customer support in order to know for e.g in which customer - which alert got a hit etc

       

      Is there any other workaround for this ? Is it a feature that should be requested ?

       

      I hope its more clear now. Feel free to reach me via PM also for clarifications

      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor

        akefallonitis In addition to what AdiGrio posted, which seems to be the best solution for your specific example, you can use Playbooks to change the title of an incident if you are using a Scheduled Analytic rule (which, unfortunately, you cannot do with an alert generated from Defender ATP) that can read the alert and, based on either  the information in the alert or some other information, change the title of the incident that was generated to better suit what you need.

         

        You can trigger this Playbook when looking at the Alert in the Incident's Full Details page for any incident but that is not an automatic process.

Resources