Forum Discussion
Tracking Incidents across Lighthouse
GaryBushey I've tried Item #1 and that didn't seem to work. Even after selecting all workspaces I only see 24 incidents. My query brings back 66. Also, all the incident numbers are sequential and local, whereas the query has many different numbers because of the different Sentinel Instances. For #2 I guess I can do a | summarize max(LastModifiedTime) or something to make the results "singular."
JKatzmandu When I look at all the incidents from various tenants I have access to, they are grouped by the workspace so the Incident ID would be sequential within each workspace.
If you are not seeing the incidents from the other tenants I would double check your Lighthouse configuration to make sure it it working correctly. Can you go into the individual tenant directly and see the incidents from each tenant enabled via Lighthouse?
- JKatzmanduJan 13, 2021Brass Contributor
Aha! There is a "view incidents" link you can select after you check all the workspaces. Once you do that you can see them all. Thank you!
- CliveWatsonJan 13, 2021Microsoft
I have an example Workbook that may also help Announcing: Azure Sentinel Central Workbook | LinkedIn