Hey team,

As a context, I haven't been around Sentinel in about 1.5 years.I am trying to see how I can end up correlating different alerts/incidents in Sentinel based on entities. Eg. assume a scenario where, based upon some custom logs, I have 3 different scheduled rules popping. Between those 3 rules triggered, there is some commonality. Eg. all came from the same user / same IP, whatever.I am trying to see what is the way in Sentinel to show this correlation/story and going from individual alert triage to something cohesive that correlates everything.

I am seeing the Fusion rule theoretically supports custom scheduled rules in Sentinel for correlation.Any idea on how I could test fire that to show-case it? I've tried with 2 custom alerts, entities mapped, mitre, etc but it didn't trigger.Is there any other way to achieve what I was mentioning? Is there some notebook or something that performs this kind of correlation between alerts that I am not aware of?

Thank you.