Forum Discussion
Solved
Sentinel Creating Multiple AlertIDs/IncidentNumbers for Multiple Events
Hey there, This one is really giving me hard times as I can't quite understand why or how to fix this. In Sentinel, we run a log search in the LAW, and we get a full list of SecurityIncidents us...
- Maybe just use the latest one per Incident Number (which arg_max does for you), this gets rid of those that have changed status during the Incident
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize count(), arg_max(TimeGenerated,*) by IncidentNumber
You may prefer to filter on LastModified or LastActivity time rather than TimeGenerated in my example?
Maybe just use the latest one per Incident Number (which arg_max does for you), this gets rid of those that have changed status during the Incident
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize count(), arg_max(TimeGenerated,*) by IncidentNumber
You may prefer to filter on LastModified or LastActivity time rather than TimeGenerated in my example?
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize count(), arg_max(TimeGenerated,*) by IncidentNumber
You may prefer to filter on LastModified or LastActivity time rather than TimeGenerated in my example?
Thank you very much Clive 🙂
You just made my day better haha!
That was the mistake I was making, thanks for the help, will keep that in mind for the future!
You just made my day better haha!
That was the mistake I was making, thanks for the help, will keep that in mind for the future!
- BTW, every time an incident is updated in any way, a new row will be added to the SecurityIncidents table which is why you are seeing all the duplicates.
