Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

Azure Sentinel Incident Aggregation Conditions

Mira_P
Tera Contributor

‎06-23-2025 02:26 PM - edited ‎06-23-2025 02:28 PM

Hello,

 

We are currently setting up the integration with ServiceNow and Azure Sentinel. We created a profile for Azure Sentinel and wanted to ask if anyone has found a good or recommended solution on aggregating alerts (step 3 of profile set up). During the mapping we saw you can map multiple observables, but under the aggregating conditions list there is only one generic mention of "observable". We would like to add more matching fields if that's possible, preferably an observable that is the source IP.  Is there a way to edit this list of dropdowns? See screenshot for reference. Thank you. 

Preview file
385 KB
0 Helpfuls
  • 703 Views
0 REPLIES 0