Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Grouping Azure Sentinel - Azure Active Directory Identity Protection alerts

Brass Contributor

Is there a way to group Azure Active Directory Identity Protection alerts such as "Unfamiliar sign-in properties" in Azure Sentinel?

 

We are seeing hundreds of these alerts being raised on a daily basis and it is causing quite a lot of noise in the incidents panel of Azure Sentinel.

 

TS-noodlemctwoodle_0-1602578265862.png

 

What would be really useful is a way to group all these alerts into a single incident, however, I do not see a way to do this.

 

Any guidance would be greatly appreciated.

10 Replies

@TS-noodlemctwoodle If you modify the Analytics Rule, there's a couple spots in the wizard to configure alert grouping. The first is on the Set Rule Logic page. The other location is on the Incident Settings (Preview) page.

 

threshold.png

I have created a custom Scheduled rule and used this KQL to capture the same information that Identity Protection captures in the event. 

 

SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where DisplayName has "Unfamiliar sign-in properties"
| where AlertSeverity has "Low"
| project SystemAlertId, Entities, ExtendedProperties
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| extend ExtendedProperties = iff(isempty(ExtendedProperties), todynamic('[{"dummy" : ""}]'), todynamic(ExtendedProperties))
| mvexpand Entities, ExtendedProperties
| evaluate bag_unpack(Entities)
| evaluate bag_unpack(ExtendedProperties)
| extend userName = columnifexists("User Account", "")
| extend ipAddress = columnifexists("Address", "")

 I mapped the entities from the KQL in the rule

 

TS-noodlemctwoodle_0-1602588163377.png

 

I grouped all alerts into a single incident

TS-noodlemctwoodle_1-1602588256155.png

 

@TS-noodlemctwoodle If you are referring to the Microsoft Security (Preview) rule to "Create incidents based on Azure Active Directory Identity Protection alerts" then the answer is no. The only thing you can change is what severity to include as well as to include or exclude specific alerts.

 

If you are referring to one you created yourself or another Scheduled rule than @Rod_Trent's answer is correct.

@Gary Bushey- I was indeed referring to the Microsoft Security (Preview) rule.
@Rod_Trentas @Gary Bushey says you can't edit the Microsoft Security (Preview) rules like you can with scheduled rules, so this wasn't possible, unfortunately. 

 

I think I have overcome the problem now, I'm just testing it.  :)

My KQL definately requires some work to map the entities to each other. More R&D required :)

What we do is we configure the default Security rule to exclude Unfamiliar sign-ins and then create a custom KQL query like you did.

Make sure you also configure Incident Grouping, which will group everything into one incident.
IMO, you shouldn't Alert Grouping here, as one IDP should be one alert within Sentinel

@Thijs Lecomte 

I found the solution interesting. But if you are going to get the IP logs, through which table will these logs be retrieved?

All IDP Alerts are created in the SecuirtyAlert table

@Thijs Lecomte  

Thank you very much for the information.

I am already using this feature and I am having good results.

One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].

The correct one should open two incidents, one for each [account], right?

 

luizao_lf_0-1603809304588.png

 

luizao_lf_1-1603809405172.png

 

 

This is because there are multiple events in one alert. In the Rule Logic Tab, there is a section called 'Event Grouping'. You should configure this for 'Trigger an alert for each event'