Forum Discussion
All the events pertaining to the incident are not shown when grouping based on Tenant enabled.
If you are experiencing issues where all events related to an incident are not visible when grouping based on Tenant, consider the following steps to troubleshoot the problem:
Check Filters: Ensure that your filtering settings are configured correctly. Double-check if there are any filters applied that might be excluding certain events. Adjust the filters to include the relevant criteria for the events related to the incident.
Date Range: Verify the date range settings for your view. If the events occurred outside the specified date range, they might not be visible. Adjust the date range to encompass the timeframe of the incident.
Grouping Settings: Review the grouping settings to make sure that events related to the incident are included in the grouping criteria. Adjust the grouping parameters if necessary to ensure that all relevant events are considered.
Permissions: Confirm that your user account has the necessary permissions to view all events related to the incident. In some cases, access restrictions may limit the visibility of certain information.
Data Integrity: Check the integrity of the data related to the incident. If there are inconsistencies or errors in the data, it might affect the grouping and display of events. Ensure that the data is accurate and complete.
Software Version: Ensure that you are using the latest version of the software or platform. Updates and patches are often released to address bugs and improve functionality.
Contact Support: If the issue persists, consider reaching out to the support team of the software or platform. They can provide specific assistance based on the details of your incident and the features of the tool you are using.
By going through these steps, you should be able to identify and resolve the issues preventing the visibility of all events related to the incident when grouping based on Tenant.
Hello Thanks for the response. When we clicked events, its taking us to individual alerts and we need to click on events inside them. We need that at one shot. When we raised a support request, we were asked to put a request in this forum as a new feature request.
- rutgersmeetsJan 14, 2024Brass Contributor
Hi SangaraNarayanan!
I've written the following query, in hopes that it meets your requirements.
let lookback = 90d; SecurityIncident | where TimeGenerated > ago(lookback) and IncidentNumber == 122 | summarize arg_max(TimeGenerated, AlertIds) by IncidentName | mv-expand AlertId = AlertIds to typeof(string) | join kind=inner (SecurityAlert | where TimeGenerated > ago(lookback * 2) | summarize arg_max(TimeGenerated, ExtendedProperties) by SystemAlertId | project AlertResults = tostring(parse_json(ExtendedProperties).Query), SystemAlertId) on $left.AlertId == $right.SystemAlertId | project compressedRec = parse_json(replace_string(replace_string(replace_string(AlertResults, '// might contain sensitive data\nlet alertedEvent = datatable(compressedRec: string)\n', ''), '\n| extend raw = todynamic(zlib_decompress_from_base64_string(compressedRec)) | evaluate bag_unpack(raw) | project-away compressedRec;\nalertedEvent', ''), "'", '"')) | where compressedRec startswith '["' // This will filter out alerts for which extraction failed, possibly because alert event grouping was enabled. | mv-expand compressedRec to typeof(string) | project raw = parse_json(zlib_decompress_from_base64_string(compressedRec)) | evaluate bag_unpack(raw)
It uses the Query property of the ExtendedProperties column to reconstruct the original events. It works in the same way that the official Incident Overview works, but this query allows you to gather all the original events belonging to one incident in one go.
If you are seeing a lot of empty values in the results, it might be that the alerts that are grouped in your incidents came from multiple Analytics Rules and have a different output schema. In that case, I would recommend you to take away the last line of the query and to provide the original events to your clients in json format.
Please note that this solution does not work for non-Sentinel alerts, and for alerts from Analytics Rules using "Event grouping". I have also not tested this extensively, so use at your own risk 🙂
This question was quite interesting, so I decided to write about the solution in more detail on my blog at https://rutgersmeets.eu/obtaining-a-grouped-microsoft-sentinel-incidents-raw-events. Thank you for the opportunity!
Best regards,
Rutger