Hi Team,
I have created a custom rule in Defender with KQL query to get the details about Device & owners of Vulnerable machines. So results are having rows more than 1500, and its generating that many alerts in defender.
And same events are getting pulled by Data connector Microsoft Defender XDR into Sentinel Security Alerts table.
And then that many incidents are generating in Sentinel, its generating Separate Incident for Separate Alert.
Nowhere I get the option to group all rows from KQL results together as single alert, which will create single incident in Sentinel.
Or let it create alerts in defender, I can try to auto resolve them using alerting tuning, but how to stop creating that many alerts in Sentinel?
Below is the KQL query I am using..
DeviceTvmSoftwareVulnerabilities
| where CveId has_any ( "CVE-2024-30078")
| join kind=inner (DeviceInfo ) on DeviceName
| where Timestamp > ago(1h)
| extend parsedJson = parse_json(LoggedOnUsers)
| mv-expand UserDetails = parsedJson
| extend UserName=UserDetails.UserName
| where UserName != "labuser"
| project CveId, DeviceId, DeviceName, DeviceOwner= UserDetails.UserName, Domain=UserDetails.DomainName, SoftwareVendor, SoftwareName, SoftwareVersion, Timestamp, ReportId
| distinct DeviceName, tostring(DeviceOwner), DeviceId, Timestamp, ReportId, tostring(Domain)
Thanks