Forum Discussion
Incident Investigation question
MicrosoftGaryBushey This might be due to the new Event Aggregation feature that was released into Public Preview today.
This feature is meant to help you reduce the noise in your Azure Sentinel incidents queue.
Today, each alert generated from a scheduled Analytics rule creates a new Azure Sentinel incident.
Using the new ‘Incident Configuration’ tab in the Analytics rule wizard, you can configure how alerts generated by that Analytics rule are aggregated into incidents.
You can also decide to run scheduled alerts that do not generate an incident at all – but are only saved in the SecurityAlert table in your Azure Sentinel workspace.
karacole If that is the case, it is a HUGE step backward in functionality as far as I am concerned. As it stands now I can see associated alerts for a user an example. However, there is no longer any linking of those associated alerts back to any of the Incidents other than the one that I used to see the associated alerts.
So if the associated alerts also have the same IP address, I have no way of telling that using the Investigation feature now. If I mouse over one of the associated alerts in the Timeline view, only that original incident is highlighted, none of the others will be.
This makes is much harder to see the associations in my view.
karacole Sorry, forgot to thank you for taking the time to answer this question in the first place.
