Forum Discussion
Is there a way to aggregate multiple alerts into one incident in Sentinel
MicrosoftCurlX have you looked at the Analytic Wizard recently? We now have the ability to group alerts into one incident in public preview:
I see this option for custom analytics, but not for the in-built ones like "Create incidents based on Microsoft Defender Advanced Threat Protection alerts"
CurlX You are correct in that what Sarah_Young presented only works for Scheduled alerts (sadly). In regards to alerts coming from other Azure security resources, you have no control over them and how they are formatted.
It would probably be worth adding this to the Azure Sentinel Feedback forum at https://feedback.azure.com/forums/920458-azure-sentinel
GaryBushey Thank you, this confirms my assumption. I have opend an "issue / reques".
- Ofer_Shezaf
CurlX: One option is to create a scheduled rule for the MDATP alerts. There are differences to account for:
- You need a scheduled rule for each alert aggregation is needed for, and exclude it from the Microsoft rule for MDATP alerts.
- The scheduled rule creates a single alert for multiple MDATP alerts happening in the scheduling window. If you need multiple alerts, say one for each entity, there is a private preview for a feature enabling this. Note that those alerts can still be grouped.
- Lastly, it does imply an up to 5 minutes of additional latency.
