Forum Discussion
Visualization Workbooks
Hey Community,
On our Cloud Sentinel env, i am trying to build workbooks, Under Visualization workbooks create two separate Incidents Column and build on Chart with that Incident. I would like to display incident from separate work-spaces in Separate column.
Query :
SecurityIncident
| take 20
Under Visualization DEMO workbooks,
On that All alerts generated on sentinel displays under output column. But we need to separate both core alert and outside org alert.
10 Replies
Vshah335 If I understand what you are asking for, you want to be able to have one column for those incidents created by Azure Sentinel and another for those created by other Azure security products like Microsoft Cloud App Security.
To do this, you need to get to the actual product creation which is hidden in the AdditionalData field and is called "alertProductNames". For some reason this is stored as a JSON array so need to extract that value and then expand it like this:
SecurityIncident| extend ProductName = (parse_json(AdditionalData).alertProductNames)| mv-expand ProductNameYou can then use the ProductName field to determine who generated the incident.Thanks Gary Bushey GaryBushey
I applied that Value under field name and it's works.
GaryBushey Do you have workbooks visualization template(not in-build in workbooks ) ? For only for Security Incident query. Just want to explore my self into it.
Vshah335 The only one I have is the one that comes with Azure Sentinel.
