You have an Azure Sentinel workspace that has an Azure Active Directory (Azure AD) connector and an Office 365 connector.
From the workspace, you plan to create a scheduled query rule that will use a custom query. The rule will be used to generate alerts when inbound access to Office 365 from specific user accounts is detected.
You need to ensure that when multiple alerts are generated by the rule, the alerts are consolidated as a single incident per user account.
What should you do?
Currently there are no comments in this discussion, be the first to comment!