Forum Discussion
Help Needed
Scheduling a report - please see the "playbook" example here https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/06/17/log-analytics-or-azure-sentinel-how-schedule-a-report/
"Owner" is a column in SecurityIncident not SecurityAlert - hence the failure, so you need to join the two Tables
SecurityIncident | summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber) | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string) | join ( SecurityAlert | where ProductName == "Azure Defender" or ProductName == "Azure Active Directory Identity Protection" | extend AlertEntities = parse_json(Entities) | mv-expand AlertEntities ) on $left.AlertIds == $right.SystemAlertId | summarize by IncidentNumber, tostring(Owner), Title, Alerts, DisplayName, IncidentSeverity=Severity, AlertSeverity, StatusAdd this at the end of the last line for comments and tags (if required)
, tostring(Comments), tags=tostring(Labels)
As Gary mentioned is looking for an Alert named "*", its not doing a wildcard if that's what you are trying to do?
This would be enough to show all alerts
SecurityAlert
| where ProductName == "Azure Defender" or ProductName == "Azure Active Directory Identity Protection"
or if you need to filter on a specific AlertName or names?
SecurityAlert
| where ProductName == "Azure Defender" or ProductName == "Azure Active Directory Identity Protection"
| where AlertName == "Atypical travel" or AlertName startswith "Unfamiliar"
or
SecurityAlert
| where ProductName == "Azure Defender" or ProductName == "Azure Active Directory Identity Protection"
| summarize count() by AlertName
CliveWatson Thanks. it's working fine...!
Could you please help me out how to schedule a report for the last 24 hours alert results on daily basis...? including analyst actions and comments. when i go with the Owner entity on the logs tab it doesn't showing any. Please look into the below screenshot.
Thanks,
Kishore
Scheduling a report - please see the "playbook" example here https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/06/17/log-analytics-or-azure-sentinel-how-schedule-a-report/
"Owner" is a column in SecurityIncident not SecurityAlert - hence the failure, so you need to join the two Tables
SecurityIncident | summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber) | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string) | join ( SecurityAlert | where ProductName == "Azure Defender" or ProductName == "Azure Active Directory Identity Protection" | extend AlertEntities = parse_json(Entities) | mv-expand AlertEntities ) on $left.AlertIds == $right.SystemAlertId | summarize by IncidentNumber, tostring(Owner), Title, Alerts, DisplayName, IncidentSeverity=Severity, AlertSeverity, StatusAdd this at the end of the last line for comments and tags (if required)
, tostring(Comments), tags=tostring(Labels)
kishore_soc There is no column called Owner in the SecurityAlert table which is why you are getting the error with the project-keep command.
- Is there any other column name which can show the assigned analysts names in the results...?
