Forum Discussion

zaylinhtun's avatar
zaylinhtun
Copper Contributor
Feb 02, 2022

How to get the real count of incidents in Microsoft Sentinel?

Hi guys, when I do the monthly report for my customers, I found different counts of security incidents. I can not determine the real count of incidents? Please see the attached files for your refere...
  • Clive_Watson's avatar
    Clive_Watson
    Feb 02, 2022

    zaylinhtun 

     

    Your second screen shot shows 7days selected, so if the UI is set to 30days, then that's the difference?

    // Show count for last 30days 
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize count() by IncidentNumber, IncidentName, Title , Severity

// daily count from midnight 30days ago
SecurityIncident
| where TimeGenerated > startofday(ago(30d))
| summarize count() by bin(TimeGenerated,1d)
| order by TimeGenerated asc
//| render columnchart

     

    For each SecurityIncident there will be a SecurityAlert entry, but there could be more than one Alert - so the SecurityAlert count is often higher?  e.g. This single Incident 10725 has three Alerts

     

    This KQL should match what you see in the UI

    SecurityIncident
| summarize IncidentCount = count()  by IncidentNumber, tostring(AlertIds), Title
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand todynamic(AlertIds) to typeof(string)
| join 
(
    SecurityAlert
    | summarize AlertCount = count() by AlertSeverity, SystemAlertId, AlertName
) on $left.AlertIds == $right.SystemAlertId
| summarize sum(AlertCount), make_set(AlertName) by IncidentNumber, Title



Clive_Watson's avatar
Clive_Watson
Bronze Contributor

zaylinhtun 

 

Your second screen shot shows 7days selected, so if the UI is set to 30days, then that's the difference?

// Show count for last 30days 
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize count() by IncidentNumber, IncidentName, Title , Severity

// daily count from midnight 30days ago
SecurityIncident
| where TimeGenerated > startofday(ago(30d))
| summarize count() by bin(TimeGenerated,1d)
| order by TimeGenerated asc
//| render columnchart

 

For each SecurityIncident there will be a SecurityAlert entry, but there could be more than one Alert - so the SecurityAlert count is often higher?  e.g. This single Incident 10725 has three Alerts

 

This KQL should match what you see in the UI

SecurityIncident
| summarize IncidentCount = count()  by IncidentNumber, tostring(AlertIds), Title
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand todynamic(AlertIds) to typeof(string)
| join 
(
    SecurityAlert
    | summarize AlertCount = count() by AlertSeverity, SystemAlertId, AlertName
) on $left.AlertIds == $right.SystemAlertId
| summarize sum(AlertCount), make_set(AlertName) by IncidentNumber, Title



zaylinhtun's avatar
zaylinhtun
Copper Contributor
Feb 02, 2022

Hello Clive_Watson, My UI is set for 7 days too. Not 30 days. But your last KQL is working and matches the count number with UI. Thanks

Resources