Forum Discussion
Incident Investigation question
Did the functionality of the Incident graphical investigation change? I have 4 alerts that share the same user and IPAddress entities. Previously, when I did an investigation and clicked on Rel...
karacole
Microsoft
MicrosoftGaryBushey This might be due to the new Event Aggregation feature that was released into Public Preview today.
This feature is meant to help you reduce the noise in your Azure Sentinel incidents queue.
Today, each alert generated from a scheduled Analytics rule creates a new Azure Sentinel incident.
Using the new ‘Incident Configuration’ tab in the Analytics rule wizard, you can configure how alerts generated by that Analytics rule are aggregated into incidents.
You can also decide to run scheduled alerts that do not generate an incident at all – but are only saved in the SecurityAlert table in your Azure Sentinel workspace.
karacole Sorry, forgot to thank you for taking the time to answer this question in the first place.
