Forum Discussion
TS-noodlemctwoodle
Oct 13, 2020Brass Contributor
Grouping Azure Sentinel - Azure Active Directory Identity Protection alerts
Is there a way to group Azure Active Directory Identity Protection alerts such as "Unfamiliar sign-in properties" in Azure Sentinel? We are seeing hundreds of these alerts being raised on a dail...
luizao_lf
Oct 16, 2020Copper Contributor
I found the solution interesting. But if you are going to get the IP logs, through which table will these logs be retrieved?
Thijs Lecomte
Oct 18, 2020Bronze Contributor
All IDP Alerts are created in the SecuirtyAlert table
- luizao_lfOct 27, 2020Copper Contributor
Thank you very much for the information.
I am already using this feature and I am having good results.
One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].
The correct one should open two incidents, one for each [account], right?
- Thijs LecomteOct 27, 2020Bronze ContributorThis is because there are multiple events in one alert. In the Rule Logic Tab, there is a section called 'Event Grouping'. You should configure this for 'Trigger an alert for each event'