Azure Sentinel Incident Aggregation Conditions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2025 02:26 PM - edited 06-23-2025 02:28 PM
Hello,
We are currently setting up the integration with ServiceNow and Azure Sentinel. We created a profile for Azure Sentinel and wanted to ask if anyone has found a good or recommended solution on aggregating alerts (step 3 of profile set up). During the mapping we saw you can map multiple observables, but under the aggregating conditions list there is only one generic mention of "observable". We would like to add more matching fields if that's possible, preferably an observable that is the source IP. Is there a way to edit this list of dropdowns? See screenshot for reference. Thank you.