Forum Discussion

CurlX's avatar
CurlX
Copper Contributor
May 28, 2020

Is there a way to aggregate multiple alerts into one incident in Sentinel

Within Sentinel we see alerts from various different portals such as Defender Security Center. In the Defender Security Center we have one overview for alerts and one for incidents. One Defender incident can contain multiple alerts, but in Sentinel these alerts are not aggregated. Is there a way to aggregate these alerts in Sentinel into one incident? I really like the incident view in Defender Security Portal, where I see all relevant alerts in one view. 

  • luizao_lf's avatar
    luizao_lf
    Copper Contributor

    CurlX 

    Thank you very much for the information.

    I am already using this feature and I am having good results.

    One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].

    The correct one should open two incidents, one for each [account], right?

     

    I grouped the rule by the field [id_incident], using the entity [account]. In the raw logs, two types of [incident_id] were generated and only one use case was created containing the two accounts. The correct thing should be two incidents, because there were two different [id_incidents]. Am I correct in my thinking?

    Can you help me
    in that regard?

     

    Example:

     

     

    • Ofer_Shezaf's avatar
      Ofer_Shezaf
      Icon for Microsoft rankMicrosoft

      luizao_lf : I think that the feature you are looking for is "event grouping" rather than "alert grouping". The former will split each result of the rule query into a differnt alert. See more in the documantation.

  • CurlX have you looked at the Analytic Wizard recently? We now have the ability to group alerts into one incident in public preview:

    • ShankarPunjabi's avatar
      ShankarPunjabi
      Copper Contributor
      is there a way to aggregate multiple custom alerts into one incident in Sentinel, i mean 2 different alerts generating one incident
      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor
        That is not possible right now. Not sure if there are any plans to do this in the future
    • CurlX's avatar
      CurlX
      Copper Contributor

      Sarah_Young 

      I see this option for custom analytics, but not for the in-built ones like "Create incidents based on Microsoft Defender Advanced Threat Protection alerts"

       

       

Resources