Forum Discussion
SangaraNarayanan
Jan 04, 2024Copper Contributor
All the events pertaining to the incident are not shown when grouping based on Tenant enabled.
We do have a customer base with more than one entity(customer company) sending logs to one Sentinel instance. For differentiating between the entities, we have enabled grouping of alerts based on ten...
rutgersmeets
Feb 09, 2024Brass Contributor
Hi Ruby_Kumari,
Have you tried to use the query that I created in my previous reply? I designed it to provide an overview of grouped alerts (Create custom analytics rules to detect threats with Microsoft Sentinel | Microsoft Learn) for one incident.
In what way does it not meet your requirements? What do you mean by "based on Tenant"?
Best regards,
Rutger
SangaraNarayanan
Feb 09, 2024Copper Contributor
rutgersmeets : Thanks for your response. We do built custom query for getting the results. But what we asked Microsoft is to have a button on clicking it will take me to the Log analytic workspace to get all the events based on the incident,.
Now if we click on events, it takes to individual alerts pertaining to the incident.
Thanks,
Sangar
- rutgersmeetsFeb 09, 2024Brass Contributor
Hi SangaraNarayanan,
Thank you for the clarification. If your aim is to ask Microsoft to add this feature to the product, I'm afraid that I have no influence on that. You would need to reach out to your Account Manager and ask for a feature request to be opened.
My recommendation for a direct solution is to create an Azure Workbook. In a Workbook, you can create a custom Incident Overview page and design it to your exact requirements. There are already some interesting solutions in the Content Hub that may serve as an example to what you are trying to achieve. Take a look at "Sentinel Central" or "Incident Management with Microsoft Sentinel".
If you're looking to develop a solution yourself, I recommend to read https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-interactive-reports#set-up-a-grid-row-click for more information. You could create two panels: one to list the active incidents in the workspace, and a second to load all the alerts for the selected incident in the results of the first query.
For the first panel, I recommend using the Azure Resource Manager data source, using the following endpoint of the ARM REST API: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2023-11-01&tabs=HTTP. Be sure to use the $filter option to only show recent and New incidents. A simpler setup would use a normal parameter, allowing for manual entry of the incident number. For the second panel, you could use the query I provided and pass the incident number as a parameter.
I realize that this may not be the answer you were looking for, but I hope it helps!
Kind regards,
Rutger