Is there a way to group Azure Active Directory Identity Protection alerts such as "Unfamiliar sign-in properties" in Azure Sentinel?
We are seeing hundreds of these alerts being raised on a daily basis and it is causing quite a lot of noise in the incidents panel of Azure Sentinel.
What would be really useful is a way to group all these alerts into a single incident, however, I do not see a way to do this.
Any guidance would be greatly appreciated.
@TS-noodlemctwoodle If you modify the Analytics Rule, there's a couple spots in the wizard to configure alert grouping. The first is on the Set Rule Logic page. The other location is on the Incident Settings (Preview) page.
I have created a custom Scheduled rule and used this KQL to capture the same information that Identity Protection captures in the event.
SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where DisplayName has "Unfamiliar sign-in properties"
| where AlertSeverity has "Low"
| project SystemAlertId, Entities, ExtendedProperties
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| extend ExtendedProperties = iff(isempty(ExtendedProperties), todynamic('[{"dummy" : ""}]'), todynamic(ExtendedProperties))
| mvexpand Entities, ExtendedProperties
| evaluate bag_unpack(Entities)
| evaluate bag_unpack(ExtendedProperties)
| extend userName = columnifexists("User Account", "")
| extend ipAddress = columnifexists("Address", "")I mapped the entities from the KQL in the rule
I grouped all alerts into a single incident
Thank you very much for the information.
I am already using this feature and I am having good results.
One problem I am experiencing is with a grouping function. I configured to group by [account]. When a query is executed, the logs point to two different users, but it generated only one ticket containing the two different entities in the same incident, even with a grouping option per [account].
The correct one should open two incidents, one for each [account], right?
