Forum Discussion

CurlX's avatar
CurlX
Copper Contributor
May 28, 2020

Is there a way to aggregate multiple alerts into one incident in Sentinel

Within Sentinel we see alerts from various different portals such as Defender Security Center. In the Defender Security Center we have one overview for alerts and one for incidents. One Defender inci...
CurlX's avatar
CurlX
Copper Contributor
May 30, 2020

GaryBushey  Thank you, this confirms my assumption. I have opend an "issue / reques". 

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Jun 01, 2020

CurlXOne option is to create a scheduled rule for the MDATP alerts. There are differences to account for:

  • You need a scheduled rule for each alert aggregation is needed for, and exclude it from the Microsoft rule for MDATP alerts.
  • The scheduled rule creates a single alert for multiple MDATP alerts happening in the scheduling window. If you need multiple alerts, say one for each entity, there is a private preview for a feature enabling this. Note that those alerts can still be grouped.
  • Lastly, it does imply an up to 5 minutes of additional latency.