Forum Discussion
Fetch security events with their underlying log entries
Hello, I am trying to extract all the alerts generated by sentinel including the events that triggered that alert. I have the following query: SecurityIncident | summarize arg_max(TimeGenerated, ...
I tend to use this, which is very similar, you'd have to add you exclusion line into it:
SecurityIncident
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)
| join kind=leftouter
(
SecurityAlert
//| where TimeGenerated > ago(10m)
) on $right.SystemAlertId == $left.AlertIds
| summarize AlertCount=dcount(AlertIds),
arg_max
(
TimeGenerated, Title, Severity, Status, Owner,
ModifiedBy, CreatedTime, FirstModifiedTime, LastModifiedTime,
Tags=tostring(parse_json(Labels).labelName),
Comments=tostring(parse_json(Comments).message),
AdditionalData, Tactics, Techniques, SubTechniques,
Classification, ClassificationComment, ClassificationReason,
ProviderName, Description, ExtendedProperties
)
by IncidentNumber
or just this if you want all raw columns
SecurityIncident
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)
| join kind=leftouter
(
SecurityAlert
//| where TimeGenerated > ago(10m)
) on $right.SystemAlertId == $left.AlertIds
| summarize AlertCount=dcount(AlertIds),
arg_max
(
TimeGenerated, *
)
by IncidentNumber