🔥 3-day streak
Microsoft Security Operations Analyst134 / 190
Question 134 of 190

You manage a Microsoft Sentinel scheduled analytics rule that detects failed sign-ins from a single IP address. During a password-spray campaign, the rule fires dozens of times per hour, each creating a separate incident. Analysts are overwhelmed by the volume. You want related alerts from this rule to be consolidated into as few incidents as possible while still grouping by the source IP. Which configuration should you apply in the rule's incident settings?

Reviewed for accuracy · Report an issueNext question