Forum Discussion

ryanksmith's avatar
ryanksmith
Copper Contributor
Jan 30, 2020

Query Alert Status and Assigned User

Looking to query to alerts/incidents that have not been assigned/picked up or to look at the current status (New/In Progress) to detect and alert on stale events.  I use the following query to genera...
GaryBushey's avatar
GaryBushey
Bronze Contributor
Jan 30, 2020

ryanksmith What you are looking at is the listing of Alerts, not the Incidents.  Alerts do not get assigned to users, only the Incident will.

 

Unfortunately, you cannot query Incidents using KQL directly.  You have to use the Azure Sentinel REST API.  There have been a few posts about doing this lately, including mine on doing this through PowerShell : https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/  

ryanksmith's avatar
ryanksmith
Copper Contributor
Jan 31, 2020

Thanks GaryBushey I'll take a look, very surprised we cant query this without to jump though a bunch of hoops, I have been able in every other SIEM I have worked with. 

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Jan 31, 2020

    ryanksmith I agree, but considering the API is still not G.A. we may be able to see something to make it easier once it does.  I would love to be able to have a workbook showing me the stats of my Incidents, but I guess that is more what something like ServiceNow is for.

Resources