Stop Creating Incidents in Sentinel For every Alert generated by Custom detection rule in defender for endpoint

Disha Bodade 65 Reputation points
2024-06-25T17:06:28.82+00:00

Hi Team,

I have created a custom rule in Defender with KQL query to get the details about Device & owners of Vulnerable machines. So results are having rows more than 1500, and its generating that many alerts in defender.

And same events are getting pulled by Data connector Microsoft Defender XDR into Sentinel Security Alerts table.
And then that many incidents are generating in Sentinel, its generating Separate Incident for Separate Alert.

Nowhere I get the option to group all rows from KQL results together as single alert, which will create single incident in Sentinel.

Or let it create alerts in defender, I can try to auto resolve them using alerting tuning, but how to stop creating that many alerts in Sentinel?

Below is the KQL query I am using..


DeviceTvmSoftwareVulnerabilities
| where CveId has_any ( "CVE-2024-30078")
| join kind=inner (DeviceInfo ) on DeviceName
| where Timestamp > ago(1h)
| extend parsedJson = parse_json(LoggedOnUsers)
| mv-expand UserDetails = parsedJson
| extend UserName=UserDetails.UserName
| where UserName != "labuser"
| project CveId, DeviceId, DeviceName, DeviceOwner= UserDetails.UserName, Domain=UserDetails.DomainName, SoftwareVendor, SoftwareName, SoftwareVersion, Timestamp, ReportId
| distinct DeviceName, tostring(DeviceOwner), DeviceId, Timestamp, ReportId, tostring(Domain)

Thanks

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,048 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,641 Reputation points Microsoft Employee
    2024-06-27T07:37:46.9866667+00:00

    @Disha Bodade

    You could setup incident settings in both Azure as well as defender portal to club all incidents generated by this alert rule to one.

    On Azure portal:

    User's image

    If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik