Skip to main content

Hi everyone,

When a new case is generated and the event type is either NRT or Scheduled, we only see a single event line in the case. In contrast, for other native alerts—like those from XDR—we see multiple event lines, typically one per entity type or kind.

I've already enabled the new connector v.51 option:
"Use the same approach with event creation for all alert types?"
I also verified that the Sentinel custom rules have entities properly mapped under the "Set rule logic" section.

However, even after enabling that setting, I'm still not seeing the entities being broken out into separate events when alerts are ingested.

Am I missing something in the configuration?
Also, can someone clarify the exact behavior or purpose of the "Use the same approach with event creation for all alert types" setting?
How can I ensure entity mapping from custom rules is reflected properly in the events?

Thanks in advance!

Hey @ORBR,


Can you share what connector you are using? Also, it would be great, if you can show side-by-side the same alert in Sentinel vs SecOps (make sure PII is blurred). 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.