Forum Discussion

Copper Contributor

Oct 01, 2020

Visualization Workbooks

Hey Community, On our Cloud Sentinel env, i am trying to build workbooks, Under Visualization workbooks create two separate Incidents Column and build on Chart with that Incident. I would like...

Copper Contributor

Oct 05, 2020

Thanks Gary Bushey GaryBushey

I applied that Value under field name and it's works.

GaryBushey Do you have workbooks visualization template(not in-build in workbooks ) ? For only for Security Incident query. Just want to explore my self into it.

Bronze Contributor

Oct 06, 2020

Vshah335 The only one I have is the one that comes with Azure Sentinel.

Vshah335
Copper Contributor
Oct 07, 2020
GaryBushey

SecurityIncident
| extend ProductName = (parse_json(AdditionalData).alertProductNames)
| mv-expand ProductName

On Above Query U provided earlier , In that there is Field(Colum) called 'Owner'
Question -
Here, Is it possible only shows 'UserprincipalName' or 'AssignedTO' Or ' Email' . Only Need One Field. Can you please provide updated query?
{"userPrincipalName":null,"assignedTo":null,"objectId":null,"email":null}

Again, thanks in Advance.
- GaryBushey
  Bronze Contributor
  Oct 07, 2020
  Vshah335 In the query below, you can then use ProductName.alertProductNames or ProductName.Owner or any other entry that is part of the AdditionalData field to get its data.
  
  SecurityIncident
  | extend ProductName = parse_json(AdditionalData)
  - Vshah335
    Copper Contributor
    Oct 07, 2020
    GaryBushey
    
    SecurityIncident
    | extend ProductName = parse_json(AdditionalData, ProductNames.owner)
    | mv-expand AdditionalData = " email "
    
    Or
    SecurityIncident
    | extend ProductName = parse_json(AdditionalData, ProductNames.owner)
    | where AdditionalData = " email "
    
    I am running both query, but throw me error. Any Idea ?

Resources