Forum Discussion
Grouping Azure Sentinel - Azure Active Directory Identity Protection alerts
Is there a way to group Azure Active Directory Identity Protection alerts such as "Unfamiliar sign-in properties" in Azure Sentinel?
We are seeing hundreds of these alerts being raised on a daily basis and it is causing quite a lot of noise in the incidents panel of Azure Sentinel.
What would be really useful is a way to group all these alerts into a single incident, however, I do not see a way to do this.
Any guidance would be greatly appreciated.
- GaryBusheyBronze Contributor
TS-noodlemctwoodle If you are referring to the Microsoft Security (Preview) rule to "Create incidents based on Azure Active Directory Identity Protection alerts" then the answer is no. The only thing you can change is what severity to include as well as to include or exclude specific alerts.
If you are referring to one you created yourself or another Scheduled rule than Rod_Trent's answer is correct.
- TS-noodlemctwoodleBrass Contributor
GaryBushey- I was indeed referring to the Microsoft Security (Preview) rule.
Rod_Trentas GaryBushey says you can't edit the Microsoft Security (Preview) rules like you can with scheduled rules, so this wasn't possible, unfortunately.I think I have overcome the problem now, I'm just testing it. 🙂
- TS-noodlemctwoodleBrass Contributor
I have created a custom Scheduled rule and used this KQL to capture the same information that Identity Protection captures in the event.
SecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where DisplayName has "Unfamiliar sign-in properties" | where AlertSeverity has "Low" | project SystemAlertId, Entities, ExtendedProperties | extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities)) | extend ExtendedProperties = iff(isempty(ExtendedProperties), todynamic('[{"dummy" : ""}]'), todynamic(ExtendedProperties)) | mvexpand Entities, ExtendedProperties | evaluate bag_unpack(Entities) | evaluate bag_unpack(ExtendedProperties) | extend userName = columnifexists("User Account", "") | extend ipAddress = columnifexists("Address", "")
I mapped the entities from the KQL in the rule
I grouped all alerts into a single incident
- TS-noodlemctwoodleBrass Contributor
My KQL definately requires some work to map the entities to each other. More R&D required 🙂
- Thijs LecomteBronze ContributorWhat we do is we configure the default Security rule to exclude Unfamiliar sign-ins and then create a custom KQL query like you did.
Make sure you also configure Incident Grouping, which will group everything into one incident.
IMO, you shouldn't Alert Grouping here, as one IDP should be one alert within Sentinel
- Rod_TrentMicrosoft
TS-noodlemctwoodle If you modify the Analytics Rule, there's a couple spots in the wizard to configure alert grouping. The first is on the Set Rule Logic page. The other location is on the Incident Settings (Preview) page.