Forum Discussion

GaryBushey's avatar
GaryBushey
Bronze Contributor
Jan 11, 2020
Solved

Multiple alerts generating an incident

I see in the Incident's page that there is a field that lists the number of alerts used to generate an incident.   How does this work?  How can you have multiple alerts generating a single incident? ...
  • ehloworldio's avatar
    ehloworldio
    Jan 12, 2020

    GaryBushey I think you might be asking about Advanced multistage attack detection in Azure Sentinel or Fusion rules. https://docs.microsoft.com/en-us/azure/sentinel/fusion

     

    Fusion rules combine two or more alerts from Azure AD Identity Protection and Microsoft Cloud App Security to create one incident. For example "Impossible travel to atypical locations leading to suspicious cloud app administrative activity", the rule correlate multiple alerts in attempt to predict a multistage attack.

     

ehloworldio's avatar
ehloworldio
Brass Contributor
Jan 12, 2020

GaryBushey I think you might be asking about Advanced multistage attack detection in Azure Sentinel or Fusion rules. https://docs.microsoft.com/en-us/azure/sentinel/fusion

 

Fusion rules combine two or more alerts from Azure AD Identity Protection and Microsoft Cloud App Security to create one incident. For example "Impossible travel to atypical locations leading to suspicious cloud app administrative activity", the rule correlate multiple alerts in attempt to predict a multistage attack.

 

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Jan 12, 2020

    ehloworldio That makes sense.  Thanks.

Resources