Forum Discussion

CurlX's avatar
CurlX
Copper Contributor
May 28, 2020

Is there a way to aggregate multiple alerts into one incident in Sentinel

Within Sentinel we see alerts from various different portals such as Defender Security Center. In the Defender Security Center we have one overview for alerts and one for incidents. One Defender inci...
luizao_lf's avatar
luizao_lf
Copper Contributor
Oct 27, 2020

CurlX 

Thank you very much for the information.

I am already using this feature and I am having good results.

One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].

The correct one should open two incidents, one for each [account], right?

 

I grouped the rule by the field [id_incident], using the entity [account]. In the raw logs, two types of [incident_id] were generated and only one use case was created containing the two accounts. The correct thing should be two incidents, because there were two different [id_incidents]. Am I correct in my thinking?

Can you help me
in that regard?

 

Example:

 

ā€ƒ

 

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Oct 27, 2020

luizao_lf : I think that the feature you are looking for is "event grouping" rather than "alert grouping". The former will split each result of the rule query into a differnt alert. See more in the documantation.

  • luizao_lf's avatar
    luizao_lf
    Copper Contributor
    Oct 28, 2020

    Ofer_Shezaf  

    Thanks for the reply.

    It's working.

    It was crucial.

Resources