Forum Discussion
Visualization Workbooks
Vshah335 If I understand what you are asking for, you want to be able to have one column for those incidents created by Azure Sentinel and another for those created by other Azure security products like Microsoft Cloud App Security.
To do this, you need to get to the actual product creation which is hidden in the AdditionalData field and is called "alertProductNames". For some reason this is stored as a JSON array so need to extract that value and then expand it like this:
Thanks Gary Bushey GaryBushey
I applied that Value under field name and it's works.
GaryBushey Do you have workbooks visualization template(not in-build in workbooks ) ? For only for Security Incident query. Just want to explore my self into it.
Vshah335 The only one I have is the one that comes with Azure Sentinel.
- SecurityIncident
| extend ProductName = (parse_json(AdditionalData).alertProductNames)
| mv-expand ProductNameOn Above Query U provided earlier , In that there is Field(Colum) called 'Owner'Question -Here, Is it possible only shows 'UserprincipalName' or 'AssignedTO' Or ' Email' . Only Need One Field. Can you please provide updated query?{"userPrincipalName":null,"assignedTo":null,"objectId":null,"email":null}Again, thanks in Advance.Vshah335 In the query below, you can then use ProductName.alertProductNames or ProductName.Owner or any other entry that is part of the AdditionalData field to get its data.
SecurityIncident
| extend ProductName = parse_json(AdditionalData)