Forum Discussion

akefallonitis's avatar
akefallonitis
Brass Contributor
May 25, 2020

Expanded Entities Combined in one alert/incident

Hi,    I am trying to figure out how the default Create incidents based on Microsoft Defender Advanced Threat Protection alerts works with entities expanding them and correlated them in one inciden...
Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Jun 15, 2020

akefallonitis : I may have mislead you. I tried to help with your workaround. Microsoft rules automatically assign all entities, even those not available for alert rules.

akefallonitis's avatar
akefallonitis
Brass Contributor
Jun 17, 2020

Ofer_Shezaf 

 

Hi Ofer i understand the point of your comment for the workaround and thank your for that, i am actually doing something similar with mv-apply - mv-expand.

The only problem is to correctly use make_set and summarize so i can extend all needed properties by SystemAlertId so i can write a generic scheduled rule similar to the Microsoft ones and aggregated all the values needed in one result for all MS products

  • byuck's avatar
    byuck
    Copper Contributor
    Oct 07, 2020

    akefallonitis hello akefallonitis I have same problem. If you are successful, can you share your query?