Forum Discussion
AlertName aggregation
Hey and thanks for your response.
I have for example a catch all scheduled rule for example for WDATP name "WDATP - Catch All" is there a way to aggregate the AlerName of the WDATP alerts to the scheduled rule name or pass it as a parameter? Because now when the scheduled ruled triggered regardless the name of the alert i always get "WDATP - Catch All".
This is crucial in order to have layers of rules for correlated events as to be able to aggregate fields and pass the to all levels of correlation rules like in a traditional SIEM.
As far as i understand for now this is not possible and the only fields that can be aggregated for now are the CustomEntities fields only (IP, HOST, ACCOUNT, URL)
Also it is needed in an MSSP enviroment with Multi Customer support in order to know for e.g in which customer - which alert got a hit etc
Is there any other workaround for this ? Is it a feature that should be requested ?
I hope its more clear now. Feel free to reach me via PM also for clarifications
akefallonitis In addition to what AdiGrio posted, which seems to be the best solution for your specific example, you can use Playbooks to change the title of an incident if you are using a Scheduled Analytic rule (which, unfortunately, you cannot do with an alert generated from Defender ATP) that can read the alert and, based on either the information in the alert or some other information, change the title of the incident that was generated to better suit what you need.
You can trigger this Playbook when looking at the Alert in the Incident's Full Details page for any incident but that is not an automatic process.
GaryBusheyAdiGrioThank you both for your answers
So i understand this is more a feature request so i move it the request page : https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/40271452-azure-sentinel-rules-fields-aggregation-and-custom
As for the playbooks is there a way for them to triggered them from multiple-workspace sentinel alerts?