Forum Discussion
SangaraNarayanan
Jan 04, 2024Copper Contributor
All the events pertaining to the incident are not shown when grouping based on Tenant enabled.
We do have a customer base with more than one entity(customer company) sending logs to one Sentinel instance. For differentiating between the entities, we have enabled grouping of alerts based on ten...
SangaraNarayanan
Jan 05, 2024Copper Contributor
Hello Thanks for the response. When we clicked events, its taking us to individual alerts and we need to click on events inside them. We need that at one shot. When we raised a support request, we were asked to put a request in this forum as a new feature request.
rutgersmeets
Jan 14, 2024Brass Contributor
Hi SangaraNarayanan!
I've written the following query, in hopes that it meets your requirements.
let lookback = 90d;
SecurityIncident
| where TimeGenerated > ago(lookback) and IncidentNumber == 122
| summarize arg_max(TimeGenerated, AlertIds) by IncidentName
| mv-expand AlertId = AlertIds to typeof(string)
| join kind=inner (SecurityAlert
| where TimeGenerated > ago(lookback * 2)
| summarize arg_max(TimeGenerated, ExtendedProperties) by SystemAlertId
| project AlertResults = tostring(parse_json(ExtendedProperties).Query), SystemAlertId)
on $left.AlertId == $right.SystemAlertId
| project compressedRec = parse_json(replace_string(replace_string(replace_string(AlertResults, '// might contain sensitive data\nlet alertedEvent = datatable(compressedRec: string)\n', ''), '\n| extend raw = todynamic(zlib_decompress_from_base64_string(compressedRec)) | evaluate bag_unpack(raw) | project-away compressedRec;\nalertedEvent', ''), "'", '"'))
| where compressedRec startswith '["' // This will filter out alerts for which extraction failed, possibly because alert event grouping was enabled.
| mv-expand compressedRec to typeof(string)
| project raw = parse_json(zlib_decompress_from_base64_string(compressedRec))
| evaluate bag_unpack(raw)
It uses the Query property of the ExtendedProperties column to reconstruct the original events. It works in the same way that the official Incident Overview works, but this query allows you to gather all the original events belonging to one incident in one go.
If you are seeing a lot of empty values in the results, it might be that the alerts that are grouped in your incidents came from multiple Analytics Rules and have a different output schema. In that case, I would recommend you to take away the last line of the query and to provide the original events to your clients in json format.
Please note that this solution does not work for non-Sentinel alerts, and for alerts from Analytics Rules using "Event grouping". I have also not tested this extensively, so use at your own risk 🙂
This question was quite interesting, so I decided to write about the solution in more detail on my blog at https://rutgersmeets.eu/obtaining-a-grouped-microsoft-sentinel-incidents-raw-events. Thank you for the opportunity!
Best regards,
Rutger