Forum Discussion
Ignore alerts if Entities Match previous within the last 24 hours
LodewykV I have configured to group the alerts if the entities match. I have a question about that function though. So I have configured my query to run every 5 minutes. If I set to limit the group to alerts created within 1 hour and After the first alert is generated the first query run, will the subsequent alerts be added to the 1st, and won't they trigger an automated playbook? I get that the alerts generated within the hour will be grouped. My question however is how will that affect the automation? The first query runs and generates an alert which triggers a playbook. Query runs again after 45 minutes and generates another alert with same entities, will that trigger the playbook, or it will just be added to the first alert and not trigger the playbook?
There is a new possibility in private preview, which will only trigger once per incident. This would be a solution for you, but it's not GA yet.
Thijs Lecomte You might be referring to "When Azure Sentinel incident creation rule was triggered"?
Thank you for the response
- Yes, it is!
Thijs LecomteThank you! But is there a way to stop alerts from generating for the same entities repeatedly, especially if the source is only generating one of such alerts?