Forum Discussion

CurlX's avatar
CurlX
Copper Contributor
May 28, 2020

Is there a way to aggregate multiple alerts into one incident in Sentinel

Within Sentinel we see alerts from various different portals such as Defender Security Center. In the Defender Security Center we have one overview for alerts and one for incidents. One Defender inci...
Sarah_Young's avatar
Sarah_Young
Icon for Microsoft rankMicrosoft
May 29, 2020

CurlX have you looked at the Analytic Wizard recently? We now have the ability to group alerts into one incident in public preview:

  • ShankarPunjabi's avatar
    ShankarPunjabi
    Copper Contributor
    Oct 20, 2021
    is there a way to aggregate multiple custom alerts into one incident in Sentinel, i mean 2 different alerts generating one incident
    • GaryBushey's avatar
      GaryBushey
      Bronze Contributor
      Oct 21, 2021
      That is not possible right now. Not sure if there are any plans to do this in the future
  • CurlX's avatar
    CurlX
    Copper Contributor
    May 29, 2020

    Sarah_Young 

    I see this option for custom analytics, but not for the in-built ones like "Create incidents based on Microsoft Defender Advanced Threat Protection alerts"

     

     

    • GaryBushey's avatar
      GaryBushey
      Bronze Contributor
      May 29, 2020

      CurlX You are correct in that what Sarah_Young presented only works for Scheduled alerts (sadly).  In regards to alerts coming from other Azure security resources, you have no control over them and how they are formatted.

       

      It would probably be worth adding this to the Azure Sentinel Feedback forum at https://feedback.azure.com/forums/920458-azure-sentinel

      • CurlX's avatar
        CurlX
        Copper Contributor
        May 30, 2020

        GaryBushey  Thank you, this confirms my assumption. I have opend an "issue / reques". 

Resources