Forum Discussion
Grouping Azure Sentinel - Azure Active Directory Identity Protection alerts
Is there a way to group Azure Active Directory Identity Protection alerts such as "Unfamiliar sign-in properties" in Azure Sentinel? We are seeing hundreds of these alerts being raised on a dail...
My KQL definately requires some work to map the entities to each other. More R&D required 🙂
What we do is we configure the default Security rule to exclude Unfamiliar sign-ins and then create a custom KQL query like you did.
Make sure you also configure Incident Grouping, which will group everything into one incident.
IMO, you shouldn't Alert Grouping here, as one IDP should be one alert within Sentinel
Make sure you also configure Incident Grouping, which will group everything into one incident.
IMO, you shouldn't Alert Grouping here, as one IDP should be one alert within Sentinel
I found the solution interesting. But if you are going to get the IP logs, through which table will these logs be retrieved?
- All IDP Alerts are created in the SecuirtyAlert table
Thank you very much for the information.
I am already using this feature and I am having good results.
One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].
The correct one should open two incidents, one for each [account], right?
