Grouping Azure Sentinel - Azure Active Directory Identity Protection alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-1773973%22%20slang%3D%22en-US%22%3EGrouping%20Azure%20Sentinel%20-%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1773973%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20group%26nbsp%3BAzure%20Active%20Directory%20Identity%20Protection%20alerts%20such%20as%20%22%3CSPAN%3EUnfamiliar%20sign-in%20properties%22%20in%20Azure%20Sentinel%3F%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20are%20seeing%20hundreds%20of%20these%20alerts%20being%20raised%20on%20a%20daily%20basis%20and%20it%20is%20causing%20quite%20a%20lot%20of%20noise%20in%20the%20incidents%20panel%20of%20Azure%20Sentinel.%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TS-noodlemctwoodle_0-1602578265862.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226231i8826560DD6000BE4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22TS-noodlemctwoodle_0-1602578265862.png%22%20alt%3D%22TS-noodlemctwoodle_0-1602578265862.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20would%20be%20really%20useful%20is%20a%20way%20to%20group%20all%20these%20alerts%20into%20a%20single%20incident%2C%20however%2C%20I%20do%20not%20see%20a%20way%20to%20do%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20guidance%20would%20be%20greatly%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1773973%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%20Identity%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1774397%22%20slang%3D%22en-US%22%3ERe%3A%20Grouping%20Azure%20Sentinel%20-%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1774397%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F652259%22%20target%3D%22_blank%22%3E%40TS-noodlemctwoodle%3C%2FA%3E%26nbsp%3BIf%20you%20modify%20the%20Analytics%20Rule%2C%20there's%20a%20couple%20spots%20in%20the%20wizard%20to%20configure%20alert%20grouping.%20The%20first%20is%20on%20the%20Set%20Rule%20Logic%20page.%20The%20other%20location%20is%20on%20the%20Incident%20Settings%20(Preview)%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22threshold.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226257iD28DEE360AB2490D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22threshold.png%22%20alt%3D%22threshold.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1774436%22%20slang%3D%22en-US%22%3ERe%3A%20Grouping%20Azure%20Sentinel%20-%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1774436%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20created%20a%20custom%20Scheduled%20rule%20and%20used%20this%20KQL%20to%20capture%20the%20same%20information%20that%20Identity%20Protection%20captures%20in%20the%20event.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ESecurityAlert%0A%7C%20summarize%20arg_max(TimeGenerated%2C%20*)%20by%20SystemAlertId%0A%7C%20where%20DisplayName%20has%20%22Unfamiliar%20sign-in%20properties%22%0A%7C%20where%20AlertSeverity%20has%20%22Low%22%0A%7C%20project%20SystemAlertId%2C%20Entities%2C%20ExtendedProperties%0A%7C%20extend%20Entities%20%3D%20iff(isempty(Entities)%2C%20todynamic('%5B%7B%22dummy%22%20%3A%20%22%22%7D%5D')%2C%20todynamic(Entities))%0A%7C%20extend%20ExtendedProperties%20%3D%20iff(isempty(ExtendedProperties)%2C%20todynamic('%5B%7B%22dummy%22%20%3A%20%22%22%7D%5D')%2C%20todynamic(ExtendedProperties))%0A%7C%20mvexpand%20Entities%2C%20ExtendedProperties%0A%7C%20evaluate%20bag_unpack(Entities)%0A%7C%20evaluate%20bag_unpack(ExtendedProperties)%0A%7C%20extend%20userName%20%3D%20columnifexists(%22User%20Account%22%2C%20%22%22)%0A%7C%20extend%20ipAddress%20%3D%20columnifexists(%22Address%22%2C%20%22%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3BI%20mapped%20the%20entities%20from%20the%20KQL%20in%20the%20rule%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TS-noodlemctwoodle_0-1602588163377.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226260iA06AD0691A52B153%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22TS-noodlemctwoodle_0-1602588163377.png%22%20alt%3D%22TS-noodlemctwoodle_0-1602588163377.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20grouped%20all%20alerts%20into%20a%20single%20incident%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TS-noodlemctwoodle_1-1602588256155.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226261i24721192E978A765%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22TS-noodlemctwoodle_1-1602588256155.png%22%20alt%3D%22TS-noodlemctwoodle_1-1602588256155.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1774437%22%20slang%3D%22en-US%22%3ERe%3A%20Grouping%20Azure%20Sentinel%20-%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1774437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F652259%22%20target%3D%22_blank%22%3E%40TS-noodlemctwoodle%3C%2FA%3E%26nbsp%3BIf%20you%20are%20referring%20to%20the%20Microsoft%20Security%20(Preview)%20rule%20to%20%22Create%20incidents%20based%20on%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%22%20then%20the%20answer%20is%20no.%20The%20only%20thing%20you%20can%20change%20is%20what%20severity%20to%20include%20as%20well%20as%20to%20include%20or%20exclude%20specific%20alerts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20referring%20to%20one%20you%20created%20yourself%20or%20another%20Scheduled%20rule%20than%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E's%20answer%20is%20correct.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1774440%22%20slang%3D%22en-US%22%3ERe%3A%20Grouping%20Azure%20Sentinel%20-%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1774440%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E-%20I%20was%20indeed%20referring%20to%20the%20Microsoft%20Security%20(Preview)%20rule.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3Eas%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%20says%20you%20can't%20edit%20the%20Microsoft%20Security%20(Preview)%20rules%20like%20you%20can%20with%20scheduled%20rules%2C%20so%20this%20wasn't%20possible%2C%20unfortunately.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20I%20have%20overcome%20the%20problem%20now%2C%20I'm%20just%20testing%20it.%26nbsp%3B%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1774565%22%20slang%3D%22en-US%22%3ERe%3A%20Grouping%20Azure%20Sentinel%20-%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1774565%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20KQL%20definately%20requires%20some%20work%20to%20map%20the%20entities%20to%20each%20other.%20More%20R%26amp%3BD%20required%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Is there a way to group Azure Active Directory Identity Protection alerts such as "Unfamiliar sign-in properties" in Azure Sentinel?

 

We are seeing hundreds of these alerts being raised on a daily basis and it is causing quite a lot of noise in the incidents panel of Azure Sentinel.

 

TS-noodlemctwoodle_0-1602578265862.png

 

What would be really useful is a way to group all these alerts into a single incident, however, I do not see a way to do this.

 

Any guidance would be greatly appreciated.

8 Replies
Highlighted

@TS-noodlemctwoodle If you modify the Analytics Rule, there's a couple spots in the wizard to configure alert grouping. The first is on the Set Rule Logic page. The other location is on the Incident Settings (Preview) page.

 

threshold.png

Highlighted

I have created a custom Scheduled rule and used this KQL to capture the same information that Identity Protection captures in the event. 

 

SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where DisplayName has "Unfamiliar sign-in properties"
| where AlertSeverity has "Low"
| project SystemAlertId, Entities, ExtendedProperties
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| extend ExtendedProperties = iff(isempty(ExtendedProperties), todynamic('[{"dummy" : ""}]'), todynamic(ExtendedProperties))
| mvexpand Entities, ExtendedProperties
| evaluate bag_unpack(Entities)
| evaluate bag_unpack(ExtendedProperties)
| extend userName = columnifexists("User Account", "")
| extend ipAddress = columnifexists("Address", "")

 I mapped the entities from the KQL in the rule

 

TS-noodlemctwoodle_0-1602588163377.png

 

I grouped all alerts into a single incident

TS-noodlemctwoodle_1-1602588256155.png

 

Highlighted

@TS-noodlemctwoodle If you are referring to the Microsoft Security (Preview) rule to "Create incidents based on Azure Active Directory Identity Protection alerts" then the answer is no. The only thing you can change is what severity to include as well as to include or exclude specific alerts.

 

If you are referring to one you created yourself or another Scheduled rule than @rodtrent's answer is correct.

Highlighted

@Gary Bushey- I was indeed referring to the Microsoft Security (Preview) rule.
@rodtrentas @Gary Bushey says you can't edit the Microsoft Security (Preview) rules like you can with scheduled rules, so this wasn't possible, unfortunately. 

 

I think I have overcome the problem now, I'm just testing it.  :)

Highlighted

My KQL definately requires some work to map the entities to each other. More R&D required :)

Highlighted
What we do is we configure the default Security rule to exclude Unfamiliar sign-ins and then create a custom KQL query like you did.

Make sure you also configure Incident Grouping, which will group everything into one incident.
IMO, you shouldn't Alert Grouping here, as one IDP should be one alert within Sentinel
Highlighted

@Thijs Lecomte 

I found the solution interesting. But if you are going to get the IP logs, through which table will these logs be retrieved?

Highlighted
All IDP Alerts are created in the SecuirtyAlert table