Oct 15 2020 08:39 AM
Oct 15 2020 08:39 AM
I have a Proofpoint TAP connected to Sentinel. When a User clicks on a Malicious link in an email, one of our remediation steps is to have the user change their password. I have encountered a situation whereby Proofpoint generated one alert, but Sentinel generated two of the same alerts, an hour apart and triggered a playbook twice, to reset a user's password on both occasions. As in the image
I am seeking to create a solution, where by if a new alert is generated and has the entities match a previously created alert within 24 hours, the 2nd would be ignored and would not trigger the playbook. If there is a dynamic way of preventing these duplication of alerts, that would be the preferred rout.
Oct 15 2020 08:45 AM
Oct 15 2020 10:02 AM
@LodewykV I have configured to group the alerts if the entities match. I have a question about that function though. So I have configured my query to run every 5 minutes. If I set to limit the group to alerts created within 1 hour and After the first alert is generated the first query run, will the subsequent alerts be added to the 1st, and won't they trigger an automated playbook? I get that the alerts generated within the hour will be grouped. My question however is how will that affect the automation? The first query runs and generates an alert which triggers a playbook. Query runs again after 45 minutes and generates another alert with same entities, will that trigger the playbook, or it will just be added to the first alert and not trigger the playbook?
Oct 15 2020 11:54 AM
Oct 15 2020 12:01 PM
@Thijs Lecomte You might be referring to "When Azure Sentinel incident creation rule was triggered"?
Thank you for the response
Oct 15 2020 12:30 PM
@Thijs LecomteThank you! But is there a way to stop alerts from generating for the same entities repeatedly, especially if the source is only generating one of such alerts?
Oct 15 2020 12:35 PM
Oct 15 2020 12:46 PM
@Thijs Lecomte Nice Lead.. Do you have an example you can show me please? This is what I have so far.
Oct 17 2020 02:51 PM
Oct 18 2020 11:21 AM