Apr 24 2020 06:21 AM - edited Apr 24 2020 06:22 AM
Hi,
Is there a way to aggregate AlertName in a second layer correlation rule and/or pass it as a parameter in the AlertName?
Thanks in advance
Apr 26 2020 07:03 AM
Can you provide an example? It is not clear what is the intended result.
Adrian Grigorof
Apr 26 2020 07:05 AM - edited Apr 26 2020 07:24 AM
Hey and thanks for your response.
I have for example a catch all scheduled rule for example for WDATP name "WDATP - Catch All" is there a way to aggregate the AlerName of the WDATP alerts to the scheduled rule name or pass it as a parameter? Because now when the scheduled ruled triggered regardless the name of the alert i always get "WDATP - Catch All".
This is crucial in order to have layers of rules for correlated events as to be able to aggregate fields and pass the to all levels of correlation rules like in a traditional SIEM.
As far as i understand for now this is not possible and the only fields that can be aggregated for now are the CustomEntities fields only (IP, HOST, ACCOUNT, URL)
Also it is needed in an MSSP enviroment with Multi Customer support in order to know for e.g in which customer - which alert got a hit etc
Is there any other workaround for this ? Is it a feature that should be requested ?
I hope its more clear now. Feel free to reach me via PM also for clarifications
Apr 26 2020 07:40 AM
Apr 26 2020 08:49 AM
@akefallonitis In addition to what @AdiGrio posted, which seems to be the best solution for your specific example, you can use Playbooks to change the title of an incident if you are using a Scheduled Analytic rule (which, unfortunately, you cannot do with an alert generated from Defender ATP) that can read the alert and, based on either the information in the alert or some other information, change the title of the incident that was generated to better suit what you need.
You can trigger this Playbook when looking at the Alert in the Incident's Full Details page for any incident but that is not an automatic process.
Apr 26 2020 10:23 AM
@Gary Bushey@AdiGrioThank you both for your answers
So i understand this is more a feature request so i move it the request page : https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/40271452-azure-sentinel-rules-fi...
As for the playbooks is there a way for them to triggered them from multiple-workspace sentinel alerts?