I need help with configuring Alerts. To get started, I setup an alert for a simple query:
WDAVThreat | where ThreatStatus == "Remediated"
Trying to be alerted to a Windows Defender threat (ultimately I will go for != remediated but this is a test). What I get is an email that includes all of the threats remediated. If possible I would like to get an email for each new threat and only one time.
How do I accomplish my goal?
Also note long-term we will be configuring an ITSM connection to ServiceNow. How do the alerts translate to the ITSM? Will they be formatted similarly? Is there a way to control what row data is included in the alert?