Forum Discussion
How to export incidents in azure sentinel
I looked at my previous export and that message "Connection to a custom network indicator" appears to be ok. I just have so many results that it felt broken. It looks to be fine. Is it possible to keep the CompromisedEntity?
How can we keep this format and yet let me pick the date range for the query?
update - got the entity part, is there a completed//solved column?
A date range you can do with a "between" here is an example
SecurityAlert
//| where TimeGenerated > ago(5h)
| where TimeGenerated between( datetime(2023-11-01 09:00) .. datetime(2023-11-02 09:00) )
Please see a blog I did for other examples:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-align-your-analytics-with-time-windows-in-azure-sentinel/ba-p/1667574
You can add "compromisedenity" to the summarise
e.g.
| summarize AlertCount=dcount(AlertIds), arg_max(TimeGenerated,Title,
Severity,
Status,
Owner,
ModifiedBy,
CreatedTime,
FirstModifiedTime,
LastModifiedTime,
ProductName,
CompromisedEntity,
Tags= tostring(parse_json(Labels).labelName),
Comments=tostring(parse_json(Comments).message))
by IncidentNumber
This will get you "all" columns. You can when you are happy, replace the "*" on line 11 with a list of the specific columns you need.
SecurityIncident | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string) | join kind=inner ( SecurityAlert ) on $right.SystemAlertId == $left.AlertIds | summarize AlertCount=dcount(AlertIds), arg_max ( TimeGenerated, * ) by IncidentNumberIncluding the three for Classification
Clive_Watson i am back at this again.
ive been poking around for a few days. ive found that i am unable to find where it stores any notes we enter whether its when we resolve it or not. Also is there a way to get the classification reason out of here?
In looking at the query language there was a Status1. I added that and now Sentinel now shows closed Clive_Watson
I'm not seeing that behaviour (I checked three workspaces in 3 regions)
Do you have an Automation Rule changing them back to "new"?
- ok, will do. This is not a query issue. The issue I am having is that ALL Azure sentinel logs Status field show as NEW. Even if they are resolved. The rest of the products listed in the log exported will show in progress or resolved or new. Sentinel simply just shows NEW regardless. What could be happening here?
- Its always best to ask, someone will answer (I will if I can and if I'm available).
Clive_Watson are you able to help with a different type of question related to this?
- this is amazing. Thank you for helping me out. I think I can start to really look at this more to get what we need. I really do appreciate all your help