Forum Discussion
How to export incidents in azure sentinel
Hi Team, I have need to export the incidents to excel. Is this possible ? Basically i want to summarize the no of incidents triggered for curtain time period and do further analysis on this. ...
Its always best to ask, someone will answer (I will if I can and if I'm available).
ok, will do. This is not a query issue. The issue I am having is that ALL Azure sentinel logs Status field show as NEW. Even if they are resolved. The rest of the products listed in the log exported will show in progress or resolved or new. Sentinel simply just shows NEW regardless. What could be happening here?
This will get you "all" columns. You can when you are happy, replace the "*" on line 11 with a list of the specific columns you need.
SecurityIncident | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string) | join kind=inner ( SecurityAlert ) on $right.SystemAlertId == $left.AlertIds | summarize AlertCount=dcount(AlertIds), arg_max ( TimeGenerated, * ) by IncidentNumberIncluding the three for Classification
Clive_Watson i am back at this again.
ive been poking around for a few days. ive found that i am unable to find where it stores any notes we enter whether its when we resolve it or not. Also is there a way to get the classification reason out of here?
In looking at the query language there was a Status1. I added that and now Sentinel now shows closed Clive_Watson
I'm not seeing that behaviour (I checked three workspaces in 3 regions)
Do you have an Automation Rule changing them back to "new"?