You may have noticed today that a new Public Preview component has made its way into your Azure Sentinel console. But it’s truly possible that you didn’t because the feature is tucked away inside the Analytics Rule wizard.
When you modify an existing Scheduled-type Analytics Rule, or create a brand new one, there’s now an extra Event Grouping option on the Rule Logic step page.
What is Event Grouping?
Event Grouping is yet another way to help adjust the noise in the system to allow your security team to put focus where it needs to put focus to maximize security operations.
With Event Grouping, you have two options:
- Group all events into a single alert (the default setting). Using this option, the rule will generate a single alert every time it runs if the query returns more results than the number you have specific for the Alert Threshold.
- Trigger an alert for each event. When this option is selected, the rule will generate a unique alert for every event that is returned by the rule logic.
Why might you want to adjust this? This could be useful if you want events to be displayed individually, but more so this is an instance where you might want to group the alerts by specific criteria. A good example would be if you have identified a specific user account, hostname, or IP address that you believe has been compromised and want to track that specifically in the system.
Current limitation: Currently the number of alerts a rule can generate is capped at 20. If in a particular rule, Event grouping is set to Trigger an alert for each event, and the rule’s query returns more than 20 events, each of the first 19 events will generate a unique alert, and the twentieth alert will summarize the entire set of returned events. In other words, the twentieth alert is what would have been generated under the Group all events into a single alert option.
And, as always…