AlertName aggregation

%3CLINGO-SUB%20id%3D%22lingo-sub-1335584%22%20slang%3D%22en-US%22%3EAlertName%20aggregation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335584%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20aggregate%20AlertName%20is%20a%20second%20layer%20correlation%20rule%20and%2For%20pass%20it%20as%20a%20parameter%20in%20the%20AlertName%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338676%22%20slang%3D%22en-US%22%3ERe%3A%20AlertName%20aggregation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338676%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634199%22%20target%3D%22_blank%22%3E%40akefallonitis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20provide%20an%20example%3F%20It%20is%20not%20clear%20what%20is%20the%20intended%20result.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdrian%20Grigorof%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.managedsentinel.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ewww.managedsentinel.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338681%22%20slang%3D%22en-US%22%3ERe%3A%20AlertName%20aggregation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338681%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20and%20thanks%20for%20your%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BI%20have%20for%20example%20a%20catch%20all%20scheduled%20rule%20for%20example%20for%20WDATP%20name%20%22%3CSTRONG%3EWDATP%20-%20Catch%20All%3C%2FSTRONG%3E%22%20is%20there%20a%20way%20to%20aggregate%20the%20%3CSTRONG%3EAlerName%3C%2FSTRONG%3E%20of%20the%20WDATP%20alerts%20to%20the%20scheduled%20rule%20name%20or%20pass%20it%20as%20a%20parameter%3F%20Because%20now%20when%20the%20scheduled%20ruled%20triggered%20regardless%20the%20name%20of%20the%20alert%20i%20always%20get%20%22%3CSTRONG%3EWDATP%20-%20Catch%20All%3C%2FSTRONG%3E%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20crucial%20in%20order%20to%20have%20layers%20of%20rules%20for%20correlated%20events%20as%20to%20be%20able%20to%20aggregate%20fields%20and%20pass%20the%20to%20all%20levels%20of%20correlation%20rules%20like%20in%20a%20traditional%20SIEM.%3C%2FP%3E%3CP%3EAs%20far%20as%20i%20understand%20for%20now%20this%20is%20not%20possible%20and%20the%20only%20fields%20that%20can%20be%20aggregated%20for%20now%20are%20the%20CustomEntities%20fields%20only%20(IP%2C%20HOST%2C%20ACCOUNT%2C%20URL)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20it%20is%20needed%20in%20an%20MSSP%20enviroment%20with%20Multi%20Customer%20support%20in%20order%20to%20know%20for%20e.g%20in%20which%20customer%20-%20which%20alert%20got%20a%20hit%20etc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20other%20workaround%20for%20this%20%3F%20Is%20it%20a%20feature%20that%20should%20be%20requested%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20its%20more%20clear%20now.%20Feel%20free%20to%20reach%20me%20via%20PM%20also%20for%20clarifications%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338741%22%20slang%3D%22en-US%22%3ERe%3A%20AlertName%20aggregation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338741%22%20slang%3D%22en-US%22%3EI%20understand%20now%20and%20we%20identified%20this%20as%20a%20bit%20of%20a%20challenge%20for%20all%20the%20alerts%20that%20are%20generated%20by%20products%20such%20as%20Security%20Center%2C%20Defender%20ATP%2C%20MCAS%2C%20etc.%20One%20way%2C%20though%20not%20ideal%2C%20is%20to%20create%20individual%20alerts%20for%20each%20type%20of%20suspicious%20activity%20identified%20by%20these%20products%20and%20exclude%20those%20activities%20from%20the%20%22catch-all%22%20rule.%20There%20are%20not%20that%20many%20distinct%20type%20of%20alerts%20so%20I%20would%20think%20it%20is%20manageable.%20You%20can%20also%20have%20different%20severity%20levels%20for%20these%20alerts.%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20are%20also%20more%20advanced%20ways%20to%20collect%20data%20from%20different%20sources%20and%20correlate%20them%20in%20a%20Sentinel%20playbook%20(i.e.%20use%20MDATP%20REST%20API%20to%20extract%20the%20full%20alert%20details%2C%20including%20other%20%22entities%22%20that%20are%20not%20currently%20available%20from%20Sentinel).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338842%22%20slang%3D%22en-US%22%3ERe%3A%20AlertName%20aggregation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338842%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634199%22%20target%3D%22_blank%22%3E%40akefallonitis%3C%2FA%3E%26nbsp%3BIn%20addition%20to%20what%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3Bposted%2C%20which%20seems%20to%20be%20the%20best%20solution%20for%20your%20specific%20example%2C%20you%20can%20use%20Playbooks%20to%20change%20the%20title%20of%20an%20incident%20if%20you%20are%20using%20a%20Scheduled%20Analytic%20rule%20(which%2C%20unfortunately%2C%20you%20cannot%20do%20with%20an%20alert%20generated%20from%20Defender%20ATP)%20that%20can%20read%20the%20alert%20and%2C%20based%20on%20either%26nbsp%3B%20the%20information%20in%20the%20alert%20or%20some%20other%20information%2C%20change%20the%20title%20of%20the%20incident%20that%20was%20generated%20to%20better%20suit%20what%20you%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20trigger%20this%20Playbook%20when%20looking%20at%20the%20Alert%20in%20the%20Incident's%20Full%20Details%20page%20for%20any%20incident%20but%20that%20is%20not%20an%20automatic%20process.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338969%22%20slang%3D%22en-US%22%3ERe%3A%20AlertName%20aggregation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338969%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3EThank%20you%20both%20for%20your%20answers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20i%20understand%20this%20is%20more%20a%20feature%20request%20so%20i%20move%20it%20the%20request%20page%20%3A%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F40271452-azure-sentinel-rules-fields-aggregation-and-custom%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F40271452-azure-sentinel-rules-fields-aggregation-and-custom%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20the%20playbooks%20is%20there%20a%20way%20for%20them%20to%20triggered%20them%20from%20multiple-workspace%20sentinel%20alerts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

Is there a way to aggregate AlertName in a second layer correlation rule and/or pass it as a parameter in the AlertName?

 

Thanks in advance

5 Replies

@akefallonitis 

 

Can you provide an example? It is not clear what is the intended result.

 

Adrian Grigorof

www.managedsentinel.com

@AdiGrio

 

Hey and thanks for your response.

 

 I have for example a catch all scheduled rule for example for WDATP name "WDATP - Catch All" is there a way to aggregate the AlerName of the WDATP alerts to the scheduled rule name or pass it as a parameter? Because now when the scheduled ruled triggered regardless the name of the alert i always get "WDATP - Catch All".

 

This is crucial in order to have layers of rules for correlated events as to be able to aggregate fields and pass the to all levels of correlation rules like in a traditional SIEM.

As far as i understand for now this is not possible and the only fields that can be aggregated for now are the CustomEntities fields only (IP, HOST, ACCOUNT, URL)

 

Also it is needed in an MSSP enviroment with Multi Customer support in order to know for e.g in which customer - which alert got a hit etc

 

Is there any other workaround for this ? Is it a feature that should be requested ?

 

I hope its more clear now. Feel free to reach me via PM also for clarifications

I understand now and we identified this as a bit of a challenge for all the alerts that are generated by products such as Security Center, Defender ATP, MCAS, etc. One way, though not ideal, is to create individual alerts for each type of suspicious activity identified by these products and exclude those activities from the "catch-all" rule. There are not that many distinct type of alerts so I would think it is manageable. You can also have different severity levels for these alerts.

There are also more advanced ways to collect data from different sources and correlate them in a Sentinel playbook (i.e. use MDATP REST API to extract the full alert details, including other "entities" that are not currently available from Sentinel).

@akefallonitis In addition to what @AdiGrio posted, which seems to be the best solution for your specific example, you can use Playbooks to change the title of an incident if you are using a Scheduled Analytic rule (which, unfortunately, you cannot do with an alert generated from Defender ATP) that can read the alert and, based on either  the information in the alert or some other information, change the title of the incident that was generated to better suit what you need.

 

You can trigger this Playbook when looking at the Alert in the Incident's Full Details page for any incident but that is not an automatic process.

@Gary Bushey@AdiGrioThank you both for your answers

 

So i understand this is more a feature request so i move it the request page : https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/40271452-azure-sentinel-rules-fi...

 

As for the playbooks is there a way for them to triggered them from multiple-workspace sentinel alerts?