Forum Discussion

Pavan_Gelli's avatar
Pavan_Gelli
Copper Contributor
Dec 17, 2019

How to export incidents in azure sentinel

Hi Team,   I have need to export the incidents to excel. Is this possible ?   Basically i want to summarize the no of incidents triggered for curtain time period and do further analysis on this. ...
KheenanH's avatar
KheenanH
Copper Contributor
Mar 08, 2024

Clive_Watson i am back at this again.  

 

ive been poking around for a few days.  ive found that i am unable to find where it stores any notes we enter whether its when we resolve it or not.  Also is there a way to get the classification reason out of here? 

 

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Mar 08, 2024

KheenanH 

 

This will get you "all" columns.  You can when you are happy, replace the "*" on line 11 with a list of the specific columns you need.

SecurityIncident
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)
| join kind=inner
(
    SecurityAlert
    ) on $right.SystemAlertId == $left.AlertIds
    | summarize AlertCount=dcount(AlertIds),
                arg_max
                (
                 TimeGenerated, *  
                )
                by IncidentNumber

 

Including the three for Classification