Forum Discussion

Cristhofer Munoz's avatar
Cristhofer Munoz
Icon for Microsoft rankMicrosoft
Nov 11, 2020

What's New: Tags column is now available in Azure Sentinel incidents page!

Hello everyone, We are happy to share with you a small but important improvement we added to our incidents blade – a new tag column is now available as part of the Incidents list!   Tags are...
what's new
Paolo1490's avatar
Paolo1490
Copper Contributor
Feb 07, 2023

Hi Cristhofer Munoz is it possible to search for these tags via KQL?

 

Specifically I am running a search of security incidents this year, and I would like to 'not' include any tickets with an 'auto close' tag. This would provide me with a list and number of tickets by 'humans' in my team rather than including ones closed by playbooks and automation etc.

 

Cheers.

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Feb 07, 2023


    Labels == Tags

    SecurityIncident
    | extend Tags = parse_json(Labels)
    | extend labelName_ = tostring(Tags[0].labelName)
    | where isnotempty(labelName_)
    • Patclementine's avatar
      Patclementine
      Copper Contributor
      Jan 17, 2024

      Clive_Watson 

      Hi Clive

      I was reading though the documentation on how to create a Sentinel Incident with API but unfortunately I am not able to add labels/tags while creating a Sentinel Incident Manually with API Payload 

      any suggestions I could try?

Resources