How to export incidents in azure sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1070077%22%20slang%3D%22en-US%22%3EHow%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070077%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20need%20to%20export%20the%20incidents%20to%20excel.%20Is%20this%20possible%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBasically%20i%20want%20to%20summarize%20the%20no%20of%20incidents%20triggered%20for%20curtain%20time%20period%20and%20do%20further%20analysis%20on%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1070077%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%20Incidents%20Export%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070327%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070327%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419828%22%20target%3D%22_blank%22%3E%40Pavan_Gelli%3C%2FA%3E%26nbsp%3Bwould%20be%20doing%20a%20query%20against%20SecurityAlert%20work%3F%26nbsp%3B%20It%20shows%20the%20alerts%20but%20not%20the%20actual%20incidents%20but%20the%20numbers%20should%20be%20close%20if%20you%20don't%20need%20the%20exact%20information%20from%20the%20incident.%20If%20you%20query%20in%20the%20Logs%20screen%20you%20can%20export%20your%20results.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073911%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073911%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419828%22%20target%3D%22_blank%22%3E%40Pavan_Gelli%3C%2FA%3E%26nbsp%3BOnce%20you%20have%20the%20KQL%20query%20you%20want%2C%20run%20it%20and%20then%20choose%20the%20Export%20menu.%20Is%20this%20what%20your're%20talking%20about%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162532i72F8F07477051F7A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22export.jpg%22%20title%3D%22export.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1077858%22%20slang%3D%22en-US%22%3ERE%3A%20How%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1077858%22%20slang%3D%22en-US%22%3EJust%20saw%20this%20great%20post%20on%20LinkedIn%20about%20it.%20%3CA%20href%3D%22https%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F16%2Fextract-all-azure-sentinel-incidents%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F16%2Fextract-all-azure-sentinel-incidents%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1091796%22%20slang%3D%22en-US%22%3ERE%3A%20How%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1091796%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20close%20all%20key%20vault%20incidents.%20But%20i%20dont%20see%20way%20to%20do%20this%20using%20PS%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Team,

 

I have need to export the incidents to excel. Is this possible ?

 

Basically i want to summarize the no of incidents triggered for curtain time period and do further analysis on this.

 

Thanks

4 Replies

@Pavan_Gelli would be doing a query against SecurityAlert work?  It shows the alerts but not the actual incidents but the numbers should be close if you don't need the exact information from the incident. If you query in the Logs screen you can export your results.

@Pavan_Gelli Once you have the KQL query you want, run it and then choose the Export menu. Is this what you're talking about?

 

export.jpg

I want close all key vault incidents. But i dont see way to do this using PS @Gary Bushey