Forum Discussion
Grouping alert into incident
Hello Raphael,
Thank you for the reply. I cannot add the rule in full here because of some client information in the rule. but most of the part of the rule is from out of the box sentinel rule called Mass Secret Retrieval From Azure Key Vault. For entity mapping in sentinel we have used following fields
- OperationNameList - This will have list of operations that triggered the alert.
- CallerObjectId - This is the account that performed the action
- CallerIPMax – This is most recent IP from which this operation was performed.
We have done following settings :
Under incident settings we have done following settings:
Even though all the entity are matching this rule is creating incident every hour and not grouping then into incident.
- burasathi
hello
you are using to group when it matches account, id , process. As the ip and the process will always be different, then there will always be a non-grouped incident because it does not match the selected fields.
Select last option and mark account
About the alerts it is generating too many and because you are evaluating every hour with 1 day data polling time, try to run every 1 hour with 1 hour polling time.
if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answerHello,
I have checked the ip and process they were same in each incident it generated every hour but was still not grouping. Thank you for the information. I will try reducing polling time as well.
As OperationNameList is a result of make_set operation, it's effectively an array, and its' elements are possibly out of order between the analytical rule's runs, which would cause an entity mismatch i.e.
['a', 'b', 'c', 'd'] vs ['a', 'c', 'b', 'd']
Could this be the case? If so, try projecting this instead:| project-reorder ..., OperationNameList=array_sort_asc(OperationNameList), ...
