Forum Discussion
Exclude IN Azure Sentinel
I am using this query for segregation of all Azure services coming into the sentinel. SecurityIncident | extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductname))[0]...
Vshah335 OK, I think I know what you want now. You want to see all the incidents, but if they were not generated from Azure Sentinel you just want to get a total number of those incidents rather than seeing each one. Is that correct?
IF that is correct, I don't think you can do it with one query. You can write a query to show all the incidents and then inside a Workbook display them as a grid and then group by the ProviderName field. This will show the count and then you can expand the Azure Sentinel one to see all the incidents.
Ofer_Shezaf
Microsoft
MicrosoftHow about this?
SecurityIncident
| extend product = tostring(AdditionalData.alertProductNames[0])
| where product !in ("Microsoft Cloud App Security")
| extend summarizeby = iff(product == "Azure Sentinel", Title, product)
| summarize count() by summarizeby
| sort by count_
SecurityIncident
| extend product = tostring(AdditionalData.alertProductNames[0])
| where product !in ("Microsoft Cloud App Security")
| extend summarizeby = iff(product == "Azure Sentinel", Title, product)
| summarize count() by summarizeby
| sort by count_
- Ofer_Shezaf Great piece of KQL code!