Is there a way to aggregate multiple alerts into one incident in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1423082%22%20slang%3D%22en-US%22%3EIs%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1423082%22%20slang%3D%22en-US%22%3E%3CP%3EWithin%20Sentinel%20we%20see%20alerts%20from%20various%20different%20portals%20such%20as%20Defender%20Security%20Center.%20In%20the%20Defender%20Security%20Center%20we%20have%20one%20overview%20for%20alerts%20and%20one%20for%20incidents.%20One%20Defender%20incident%20can%20contain%20multiple%20alerts%2C%20but%20in%20Sentinel%20these%20alerts%20are%20not%20aggregated.%20Is%20there%20a%20way%20to%20aggregate%20these%20alerts%20in%20Sentinel%20into%20one%20incident%3F%20I%20really%20like%20the%20incident%20view%20in%20Defender%20Security%20Portal%2C%20where%20I%20see%20all%20relevant%20alerts%20in%20one%20view.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1425473%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1425473%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F681519%22%20target%3D%22_blank%22%3E%40CurlX%3C%2FA%3E%26nbsp%3Bhave%20you%20looked%20at%20the%20Analytic%20Wizard%20recently%3F%20We%20now%20have%20the%20ability%20to%20group%20alerts%20into%20one%20incident%20in%20public%20preview%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20945px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195245iB8F12697E6F2B5F8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1425902%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1425902%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40sarahyo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20this%20option%20for%20custom%20analytics%2C%20but%20not%20for%20the%20in-built%20ones%20like%20%22Create%20incidents%20based%20on%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20alerts%22%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CurlX_1-1590737515512.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195296i2750F4F49C524F37%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22CurlX_1-1590737515512.png%22%20alt%3D%22CurlX_1-1590737515512.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426269%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426269%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F681519%22%20target%3D%22_blank%22%3E%40CurlX%3C%2FA%3E%26nbsp%3BYou%20are%20correct%20in%20that%20what%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40sarahyo%3C%2FA%3E%26nbsp%3Bpresented%20only%20works%20for%20Scheduled%20alerts%20(sadly).%26nbsp%3B%20In%20regards%20to%20alerts%20coming%20from%20other%20Azure%20security%20resources%2C%20you%20have%20no%20control%20over%20them%20and%20how%20they%20are%20formatted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20probably%20be%20worth%20adding%20this%20to%20the%20Azure%20Sentinel%20Feedback%20forum%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1428387%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1428387%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20Thank%20you%2C%20this%20confirms%20my%20assumption.%20I%20have%20opend%20an%20%22issue%20%2F%20reques%22.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430528%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430528%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F681519%22%20target%3D%22_blank%22%3E%40CurlX%3C%2FA%3E%3A%26nbsp%3B%3CSPAN%20data-preserver-spaces%3D%22true%22%3EOne%20option%20is%20to%20create%20a%20scheduled%20rule%20for%20the%20MDATP%20alerts.%20There%20are%20differences%20to%20account%20for%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EYou%20need%20a%20scheduled%20rule%20for%20each%20alert%20aggregation%20is%20needed%20for%2C%20and%20exclude%20it%20from%20the%20Microsoft%20rule%20for%20MDATP%20alerts.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EThe%20scheduled%20rule%20creates%20a%20single%20alert%20for%20multiple%20MDATP%20alerts%20happening%20in%20the%20scheduling%20window.%20If%20you%20need%20multiple%20alerts%2C%20say%20one%20for%20each%20entity%2C%20there%20is%20a%20private%20preview%20for%20a%20feature%20enabling%20this.%20Note%20that%20those%20alerts%20can%20still%20be%20grouped.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ELastly%2C%20it%20does%20imply%20an%20up%20to%205%20minutes%20of%20additional%20latency.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1823572%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1823572%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F681519%22%20target%3D%22_blank%22%3E%40CurlX%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much%20for%20the%20information.%3C%2FP%3E%3CP%3EI%20am%20already%20using%20this%20feature%20and%20I%20am%20having%20good%20results.%3C%2FP%3E%3CP%3EOne%20problem%20I%20am%20experiencing%20is%20with%20a%20grouping%20function.%20I%20configured%20to%20group%20by%20%5Baccount%5D.%20When%20a%20query%20is%20executed%2C%20the%20logs%20point%20to%20two%20different%20users%2C%20but%20it%20generated%20only%20one%20ticket%20containing%20the%20two%20different%20entities%20in%20the%20same%20incident%2C%20even%20with%20a%20grouping%20option%20per%20%5Baccount%5D.%3C%2FP%3E%3CP%3EThe%20correct%20one%20should%20open%20two%20incidents%2C%20one%20for%20each%20%5Baccount%5D%2C%20right%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20grouped%20the%20rule%20by%20the%20field%20%5Bid_incident%5D%2C%20using%20the%20entity%20%5Baccount%5D.%20In%20the%20raw%20logs%2C%20two%20types%20of%20%5Bincident_id%5D%20were%20generated%20and%20only%20one%20use%20case%20was%20created%20containing%20the%20two%20accounts.%20The%20correct%20thing%20should%20be%20two%20incidents%2C%20because%20there%20were%20two%20different%20%5Bid_incidents%5D.%20Am%20I%20correct%20in%20my%20thinking%3F%3C%2FP%3E%3CP%3ECan%20you%20help%20me%3CBR%20%2F%3Ein%20that%20regard%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22img.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F229544i2C9468A488BBC1FC%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22img.png%22%20alt%3D%22img.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1824971%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1824971%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F733311%22%20target%3D%22_blank%22%3E%40luizao_lf%3C%2FA%3E%26nbsp%3B%3A%20I%20think%20that%20the%20feature%20you%20are%20looking%20for%20is%20%22event%20grouping%22%20rather%20than%20%22alert%20grouping%22.%20The%20former%20will%20split%20each%20result%20of%20the%20rule%20query%20into%20a%20differnt%20alert.%20See%20more%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-detect-threats-custom%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Edocumantation%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1827231%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20aggregate%20multiple%20alerts%20into%20one%20incident%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1827231%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply.%3C%2FP%3E%3CP%3EIt's%20working.%3C%2FP%3E%3CP%3EIt%20was%20crucial.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Within Sentinel we see alerts from various different portals such as Defender Security Center. In the Defender Security Center we have one overview for alerts and one for incidents. One Defender incident can contain multiple alerts, but in Sentinel these alerts are not aggregated. Is there a way to aggregate these alerts in Sentinel into one incident? I really like the incident view in Defender Security Portal, where I see all relevant alerts in one view. 

8 Replies

@CurlX have you looked at the Analytic Wizard recently? We now have the ability to group alerts into one incident in public preview:

Capture.PNG

@Sarah_Young 

I see this option for custom analytics, but not for the in-built ones like "Create incidents based on Microsoft Defender Advanced Threat Protection alerts"

CurlX_1-1590737515512.png

 

 

@CurlX You are correct in that what @Sarah_Young presented only works for Scheduled alerts (sadly).  In regards to alerts coming from other Azure security resources, you have no control over them and how they are formatted.

 

It would probably be worth adding this to the Azure Sentinel Feedback forum at https://feedback.azure.com/forums/920458-azure-sentinel

@Gary Bushey  Thank you, this confirms my assumption. I have opend an "issue / reques". 

@CurlXOne option is to create a scheduled rule for the MDATP alerts. There are differences to account for:

  • You need a scheduled rule for each alert aggregation is needed for, and exclude it from the Microsoft rule for MDATP alerts.
  • The scheduled rule creates a single alert for multiple MDATP alerts happening in the scheduling window. If you need multiple alerts, say one for each entity, there is a private preview for a feature enabling this. Note that those alerts can still be grouped.
  • Lastly, it does imply an up to 5 minutes of additional latency.  

@CurlX 

Thank you very much for the information.

I am already using this feature and I am having good results.

One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].

The correct one should open two incidents, one for each [account], right?

 

I grouped the rule by the field [id_incident], using the entity [account]. In the raw logs, two types of [incident_id] were generated and only one use case was created containing the two accounts. The correct thing should be two incidents, because there were two different [id_incidents]. Am I correct in my thinking?

Can you help me
in that regard?

 

Example:

 

img.png

 

@luizao_lf : I think that the feature you are looking for is "event grouping" rather than "alert grouping". The former will split each result of the rule query into a differnt alert. See more in the documantation.

@Ofer_Shezaf  

Thanks for the reply.

It's working.

It was crucial.