Ans as you can see I made an override for the azure.signinlogs.properties.risk_level_during_signin field.
But now the alert I configured triggers on low, medium and high risky signins. While actually I only want alerts for high risky signins. Could a functionality be added that the alert only triggers when a certain condition is met, for example when "rule severity has one or more values"?
This definitely sounds like really useful functionality. I found a few resources that may be of use here and could satisfy the behavior you are looking for.
Have you heard of building block rules? In your stated case, you could mark the rule in your example as a building block rule. This would still create the alerts but hide them from the UI so that they don't create unnecessary noise. Then you could create a rule that searches the alerts index for those with high severity. You can find info on building block rules here.
@yctercero Thanks for the help and suggestions, but imho this type of rules is not a building block alert. My question was more specific for the email action which I only want to trigger for high severity alerts, not for low or medium alerts (due to the override). Migrating this to a building block rules and create a new rule to check for high severity alerts only for this specific rule seems a bit overkill. It seems much more logical to me to split up the rule in 3. Then I can provide custom settings and filters per severity.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.