Oct 30 2020 07:33 AM
Hi all
I am wanting to move Defender ATP (and other microsoft stack) alerts / incidents into Sentinel (which is easily achieved) and from here move them out into SNOW - what is the current thinking about how to aggregate the incidents as in MTP they have a start time and then an updated time (multiple alerts can become one incident by example).
Oct 30 2020 09:11 AM
@wootts If I am understanding what you are trying to do correctly, you cannot do it. Alerts coming from other Azure security platforms, like Defender ATP, cannot be combined into a single incident. That functionality is only for Scheduled rules.
Oct 30 2020 09:30 AM
@Gary Bushey thanks for the heads up....
Oct 31 2020 01:35 AM
Nov 02 2020 01:25 AM
@Thijs Lecomte thanks for the heads up ... a work in progress lets say