May 28 2020 01:41 AM
May 28 2020 01:41 AM
Within Sentinel we see alerts from various different portals such as Defender Security Center. In the Defender Security Center we have one overview for alerts and one for incidents. One Defender incident can contain multiple alerts, but in Sentinel these alerts are not aggregated. Is there a way to aggregate these alerts in Sentinel into one incident? I really like the incident view in Defender Security Portal, where I see all relevant alerts in one view.
May 28 2020 06:44 PM
@CurlX have you looked at the Analytic Wizard recently? We now have the ability to group alerts into one incident in public preview:
May 29 2020 12:33 AM
I see this option for custom analytics, but not for the in-built ones like "Create incidents based on Microsoft Defender Advanced Threat Protection alerts"
May 29 2020 04:04 AM
@CurlX You are correct in that what @Sarah_Young presented only works for Scheduled alerts (sadly). In regards to alerts coming from other Azure security resources, you have no control over them and how they are formatted.
It would probably be worth adding this to the Azure Sentinel Feedback forum at https://feedback.azure.com/forums/920458-azure-sentinel
May 30 2020 01:44 AM
@Gary Bushey Thank you, this confirms my assumption. I have opend an "issue / reques".
Jun 01 2020 01:40 AM
@CurlX: One option is to create a scheduled rule for the MDATP alerts. There are differences to account for:
Oct 27 2020 09:15 AM
Thank you very much for the information.
I am already using this feature and I am having good results.
One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].
The correct one should open two incidents, one for each [account], right?
I grouped the rule by the field [id_incident], using the entity [account]. In the raw logs, two types of [incident_id] were generated and only one use case was created containing the two accounts. The correct thing should be two incidents, because there were two different [id_incidents]. Am I correct in my thinking?
Can you help me
in that regard?
Oct 27 2020 02:44 PM