I am wanting to move Defender ATP (and other microsoft stack) alerts / incidents into Sentinel (which is easily achieved) and from here move them out into SNOW - what is the current thinking about how to aggregate the incidents as in MTP they have a start time and then an updated time (multiple alerts can become one incident by example).
@wootts If I am understanding what you are trying to do correctly, you cannot do it. Alerts coming from other Azure security platforms, like Defender ATP, cannot be combined into a single incident. That functionality is only for Scheduled rules.
Adding to what Gary already said. We do the same, but with JIRA. It is possible; but not for incidents. Currently Sentinel will only ingest alerts, not incidents.
