Forum Discussion
Solved
Custom Entity Mapping
I written below KQL with help from community but not able to create custom entity in Set Rule Logic. I need to mapping FailedAttempt field but no option in entity field. let threshold=2; let a...
- If you need to have the entity usable in an Automation rule, just select one of the existing entities and assign your field to it, just make sure to select one that the Automation rule could use.
Not much can be done about that as the alert trigger has minimal functionality. I would suggest using the incident trigger if at all possible.
we are creating playbook for reduce incident.
- I would say you would be better off modifying the KQL of your rule to reduce the number of events being found rather than trying to use Automation rules. Once an alert has been generated, the incident will be created as well, unless the rule has been set to not create incidents automatically.