Forum Discussion
Grouping Azure Sentinel - Azure Active Directory Identity Protection alerts
Is there a way to group Azure Active Directory Identity Protection alerts such as "Unfamiliar sign-in properties" in Azure Sentinel? We are seeing hundreds of these alerts being raised on a dail...
Thank you very much for the information.
I am already using this feature and I am having good results.
One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].
The correct one should open two incidents, one for each [account], right?
This is because there are multiple events in one alert. In the Rule Logic Tab, there is a section called 'Event Grouping'. You should configure this for 'Trigger an alert for each event'