https://www.servicenow.com/community/secops-forum/azure-sentinel-incident-aggregation-conditions/m-p/3297798#M12980 <P>Hello,</P><P>&nbsp;</P><P>We are currently setting up the integration with ServiceNow and Azure Sentinel. We created a profile for Azure Sentinel and wanted to ask if anyone has found a good or recommended solution on aggregating alerts (step 3 of profile set up). During the mapping we saw you can map multiple observables, but under the aggregating conditions list there is only one generic mention of "observable". We would like to add more matching fields if that's possible, preferably an observable that is the source IP.&nbsp; Is there a way to edit this list of dropdowns? See screenshot for reference. Thank you.&nbsp;</P> Mon, 23 Jun 2025 21:28:41 GMT Mira_P 2025-06-23T21:28:41Z https://www.servicenow.com/community/secops-forum/azure-sentinel-incident-aggregation-conditions/m-p/3297798#M12980 <P>Hello,</P><P>&nbsp;</P><P>We are currently setting up the integration with ServiceNow and Azure Sentinel. We created a profile for Azure Sentinel and wanted to ask if anyone has found a good or recommended solution on aggregating alerts (step 3 of profile set up). During the mapping we saw you can map multiple observables, but under the aggregating conditions list there is only one generic mention of "observable". We would like to add more matching fields if that's possible, preferably an observable that is the source IP.&nbsp; Is there a way to edit this list of dropdowns? See screenshot for reference. Thank you.&nbsp;</P> Mon, 23 Jun 2025 21:28:41 GMT https://www.servicenow.com/community/secops-forum/azure-sentinel-incident-aggregation-conditions/m-p/3297798#M12980 Mira_P 2025-06-23T21:28:41Z