Separation of Security incident

%3CLINGO-SUB%20id%3D%22lingo-sub-1821500%22%20slang%3D%22en-US%22%3ESeparation%20of%20Security%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1821500%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20using%20this%20query%20for%20security%20incident%20but%20getting%20all%20incident%20that%20having%20in%20Sentinel%20in%20that%20query.%20How%20to%20separate%20and%20not%20having%20duplication%20on%20the%20incident%20while%20generate%20pie%20charts.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurityincident%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3ESecurityIncident%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ecount%3C%2FSPAN%3E%3CSPAN%3E()%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EStatus%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3Ebin%3C%2FSPAN%3E%3CSPAN%3E(TimeGenerated%2C%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThis%20both%20query%20showing%20all%20security%20incidents%20Assigened%2C%20new%2C%20closed%20on%20pie%20chart%20and%20count%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Esame%20incident%20twice.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Ethanks%20in%20advance.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1822447%22%20slang%3D%22en-US%22%3ERe%3A%20Separation%20of%20Security%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1822447%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F786266%22%20target%3D%22_blank%22%3E%40Vshah335%3C%2FA%3E%26nbsp%3BTry%20something%20like%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Earg_max%3C%2FSPAN%3E%3CSPAN%3E(TimeGenerated%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EIncidentNumber%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Eyou%20can%20add%20Status%20inside%20the%20arg_max%20as%20well.%26nbsp%3B%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EIf%20you%20look%20at%20the%20Security%20Operations%20Efficiency%20workbook%20there%20are%20lots%20of%20examples%20of%20how%20to%20get%20the%20Incidents%20by%20different%20fields.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am using this query for security incident but getting all incident that having in Sentinel in that query. How to separate and not having duplication on the incident while generate pie charts.  

 

 

Securityincident

 

SecurityIncident
summarize count() by Status,bin(TimeGenerated,1d)  
 
This both query showing all security incidents Assigened, new, closed on pie chart and count  
same incident twice. 
 
thanks in advance. 
 
 
3 Replies

@Vshah335 Try something like:

 

summarize arg_max(TimeGeneratedby IncidentNumber
 
you can add Status inside the arg_max as well.   
 
If you look at the Security Operations Efficiency workbook there are lots of examples of how to get the Incidents by different fields.

Thanks @Gary Bushey  for quick reply. 

My question is : Ex- we have two X and Y different tenants in same workspace.  

ex - if i assigned to my self - New  - viral 

                                             - Assigned to- viral 

                                               - close - viral 

So i just want to monitored Y tenant security incident only on top of that when i try run query against it shows results same incident again and again. It's counts 3 incident on results instead of one incident. (Number went high while i generate pie chart ) 

Is there any why to count main incident which genreated first shows in results ? 

 

 

Thanks for your response. 

 

 

 

 

 

@Vshah335 This should do it

 

SecurityIncident
| where TenantID == X
| summarize dcount(IncidentNumber) by bin(TimeGenerated, 1d)
 
Where X is the TenantID you care about.   Add other fields as needed for charting.