SOLVED

Multiple alerts generating an incident

%3CLINGO-SUB%20id%3D%22lingo-sub-1103245%22%20slang%3D%22en-US%22%3EMultiple%20alerts%20generating%20an%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103245%22%20slang%3D%22en-US%22%3E%3CP%3EI%20see%20in%20the%20Incident's%20page%20that%20there%20is%20a%20field%20that%20lists%20the%20number%20of%20alerts%20used%20to%20generate%20an%20incident.%26nbsp%3B%20%26nbsp%3BHow%20does%20this%20work%3F%26nbsp%3B%20How%20can%20you%20have%20multiple%20alerts%20generating%20a%20single%20incident%3F%26nbsp%3B%20Is%20there%20any%20examples%20of%20this%20somewhere%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103345%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20alerts%20generating%20an%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103345%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BI%20think%20you%20might%20be%20asking%20about%26nbsp%3BAdvanced%20multistage%20attack%20detection%20in%20Azure%20Sentinel%20or%26nbsp%3B%3CSPAN%3EFusion%20rules.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ffusion%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ffusion%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EFusion%20rules%20combine%20two%20or%20more%20alerts%26nbsp%3Bfrom%20Azure%20AD%20Identity%20Protection%20and%20Microsoft%26nbsp%3BCloud%20App%20Security%20to%20create%20one%20incident.%20For%20example%20%22Impossible%20travel%20to%20atypical%20locations%20leading%20to%20suspicious%20cloud%20app%20administrative%20activity%22%2C%20the%20rule%20correlate%20multiple%20alerts%20in%20attempt%26nbsp%3Bto%20predict%26nbsp%3Ba%26nbsp%3Bmultistage%20attack.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103400%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20alerts%20generating%20an%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103400%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BThere%20would%20be%20a%20confusing%20concept%20here%20that%20Microsoft%20might%20need%20to%20consider%20fixing%20or%20providing%20better%20clarification.%26nbsp%3B%20The%20alert%20you%20see%20can%20be%20either%20from%20%3CSTRONG%3EMicrosoft%20incident%20creation%20rule%3C%2FSTRONG%3E%20or%20%3CSTRONG%3Escheduled%20analytics%20rule%3C%2FSTRONG%3E.%20An%20alert%20is%20generated%20when%20the%20rule%20matches%20the%20condition%20(a%20query%20executes%20and%20result%20is%20greater%20than%20a%20value%20-%20rule%20threshold).%20When%20an%20alert%20is%20generated%20an%20incident%20is%20generated%20and%20it%20appears%20in%20the%20Incident%20page.%20You%20can%20only%20see%20the%20alert%20by%20doing%20the%20query%20in%20the%20Log%20Analytics%20workspace%20that%20Azure%20Sentinel%20is%20connected%20to.%20The%20query%20would%20be%20simple%20as%20follows%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ESecurityAlert%0A%0A%7C%20where%20AlertName%20%3D%3D%20%22Your_Analytics_Rule_Name%22%0A%0A%7C%20where%20ProductName%20%3D%3D%20%22Azure%20Sentinel%22%20or%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20ProviderName%20%3D%3D%20%22ASI%20Scheduled%20Alerts%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20%3CSTRONG%3EMicrosoft%20incident%20creation%20rule%26nbsp%3B%3C%2FSTRONG%3Esimply%20query%26nbsp%3B%20%3CSTRONG%3E%7C%20where%20ProductName%20%3D%3D%20%22Azure%20Security%20Center%22%3C%2FSTRONG%3E%26nbsp%3B(for%20example%20if%20you%20want%20to%20query%20ASC%20alert%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F10%2Fworking-with-azure-security-center-alert-from-azure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F10%2Fworking-with-azure-security-center-alert-from-azure-sentinel%2F%3C%2FA%3E)%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20would%20be%20able%20to%20achieve%20multiple%20alerts%20to%20generate%20one%20incident%20when%20you%20toggle%20rule%20suppression%20On.%20When%20suppression%20is%20on%20Sentinel%20will%20not%20execute%20the%20query%20to%20generate%20another%20alert%20%26gt%3B%20incident.%20It%20might%20put%20many%20alerts%20to%20one%20generated%20incident.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103514%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20alerts%20generating%20an%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103514%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370232%22%20target%3D%22_blank%22%3E%40ehloworldio%3C%2FA%3E%26nbsp%3BThat%20makes%20sense.%26nbsp%3B%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Super Contributor

I see in the Incident's page that there is a field that lists the number of alerts used to generate an incident.   How does this work?  How can you have multiple alerts generating a single incident?  Is there any examples of this somewhere?

3 Replies
Highlighted
Best Response confirmed by Gary Bushey (Super Contributor)
Solution

@Gary Bushey I think you might be asking about Advanced multistage attack detection in Azure Sentinel or Fusion rules. https://docs.microsoft.com/en-us/azure/sentinel/fusion

 

Fusion rules combine two or more alerts from Azure AD Identity Protection and Microsoft Cloud App Security to create one incident. For example "Impossible travel to atypical locations leading to suspicious cloud app administrative activity", the rule correlate multiple alerts in attempt to predict a multistage attack.

 

Highlighted

@Gary Bushey There would be a confusing concept here that Microsoft might need to consider fixing or providing better clarification.  The alert you see can be either from Microsoft incident creation rule or scheduled analytics rule. An alert is generated when the rule matches the condition (a query executes and result is greater than a value - rule threshold). When an alert is generated an incident is generated and it appears in the Incident page. You can only see the alert by doing the query in the Log Analytics workspace that Azure Sentinel is connected to. The query would be simple as follows

 

 

 

SecurityAlert

| where AlertName == "Your_Analytics_Rule_Name"

| where ProductName == "Azure Sentinel" or

            ProviderName == "ASI Scheduled Alerts"

 

 

For Microsoft incident creation rule simply query  | where ProductName == "Azure Security Center" (for example if you want to query ASC alert https://azsec.azurewebsites.net/2019/12/10/working-with-azure-security-center-alert-from-azure-senti...

 

You would be able to achieve multiple alerts to generate one incident when you toggle rule suppression On. When suppression is on Sentinel will not execute the query to generate another alert > incident. It might put many alerts to one generated incident.

Highlighted

@ehloworldio That makes sense.  Thanks.