All the events pertaining to the incident are not shown when grouping based on Tenant enabled.

Copper Contributor

We do have a customer base with more than one entity(customer company) sending logs to one Sentinel instance. For differentiating between the entities, we have enabled grouping of alerts based on tenants. When we go into incidents and click on the Events, we are taken to individual alerts and we have to click on each and every alert to look and collect the event details.  We do have SLA for reporting the incident to customer and within the time it is very difficult for the analysts to grab all the events and send it to customer. 

 

Also when we look into events of each individual alerts, we are not getting the cumulative data as we get for the incident as the whole which again causes duplication of data. 

 

We have raised the case with Microsoft and the analyst asked to raise this as a feature request,.

 

What we need is even though the alerts are grouped based on tenants, when we click on the events page we should be able to go directly to Logs page where the KQL runs and fetches us the results. 

 

 

SangaraNarayanan_0-1704344786052.png

 

 

7 Replies

If you are experiencing issues where all events related to an incident are not visible when grouping based on Tenant, consider the following steps to troubleshoot the problem:

  1. Check Filters: Ensure that your filtering settings are configured correctly. Double-check if there are any filters applied that might be excluding certain events. Adjust the filters to include the relevant criteria for the events related to the incident.

  2. Date Range: Verify the date range settings for your view. If the events occurred outside the specified date range, they might not be visible. Adjust the date range to encompass the timeframe of the incident.

  3. Grouping Settings: Review the grouping settings to make sure that events related to the incident are included in the grouping criteria. Adjust the grouping parameters if necessary to ensure that all relevant events are considered.

  4. Permissions: Confirm that your user account has the necessary permissions to view all events related to the incident. In some cases, access restrictions may limit the visibility of certain information.

  5. Data Integrity: Check the integrity of the data related to the incident. If there are inconsistencies or errors in the data, it might affect the grouping and display of events. Ensure that the data is accurate and complete.

  6. Software Version: Ensure that you are using the latest version of the software or platform. Updates and patches are often released to address bugs and improve functionality.

  7. Contact Support: If the issue persists, consider reaching out to the support team of the software or platform. They can provide specific assistance based on the details of your incident and the features of the tool you are using.

By going through these steps, you should be able to identify and resolve the issues preventing the visibility of all events related to the incident when grouping based on Tenant.

 Hello Thanks for the response. When we clicked events, its taking us to individual alerts and we need to click on events inside them. We need that at one shot. When we raised a support request, we were asked to put a request in this forum as a new feature request.

Hi @SangaraNarayanan!

I've written the following query, in hopes that it meets your requirements.

let lookback = 90d;
SecurityIncident
| where TimeGenerated > ago(lookback) and IncidentNumber == 122
| summarize arg_max(TimeGenerated, AlertIds) by IncidentName
| mv-expand AlertId = AlertIds to typeof(string)
| join kind=inner (SecurityAlert
    | where TimeGenerated > ago(lookback * 2)
    | summarize arg_max(TimeGenerated, ExtendedProperties) by SystemAlertId
    | project AlertResults = tostring(parse_json(ExtendedProperties).Query), SystemAlertId)
    on $left.AlertId == $right.SystemAlertId
| project compressedRec = parse_json(replace_string(replace_string(replace_string(AlertResults, '// might contain sensitive data\nlet alertedEvent = datatable(compressedRec: string)\n', ''), '\n| extend raw = todynamic(zlib_decompress_from_base64_string(compressedRec)) | evaluate bag_unpack(raw) | project-away compressedRec;\nalertedEvent', ''), "'", '"'))
| where compressedRec startswith '["' // This will filter out alerts for which extraction failed, possibly because alert event grouping was enabled.
| mv-expand compressedRec to typeof(string)
| project raw = parse_json(zlib_decompress_from_base64_string(compressedRec))
| evaluate bag_unpack(raw)

 

It uses the Query property of the ExtendedProperties column to reconstruct the original events. It works in the same way that the official Incident Overview works, but this query allows you to gather all the original events belonging to one incident in one go.

 

If you are seeing a lot of empty values in the results, it might be that the alerts that are grouped in your incidents came from multiple Analytics Rules and have a different output schema. In that case, I would recommend you to take away the last line of the query and to provide the original events to your clients in json format.

 

Please note that this solution does not work for non-Sentinel alerts, and for alerts from Analytics Rules using "Event grouping". I have also not tested this extensively, so use at your own risk 🙂

 

This question was quite interesting, so I decided to write about the solution in more detail on my blog at https://rutgersmeets.eu/obtaining-a-grouped-microsoft-sentinel-incidents-raw-events. Thank you for the opportunity!

 

Best regards,

Rutger

 @rutgersmeets Hope you are doing well! 

 

Could you please help @SangaraNarayanan with his queries "All the events pertaining to the incident are not shown when grouping based on Tenant enabled"

 

Hi @Ruby_Kumari,

 

Have you tried to use the query that I created in my previous reply? I designed it to provide an overview of grouped alerts (Create custom analytics rules to detect threats with Microsoft Sentinel | Microsoft Learn) for one incident.

 

In what way does it not meet your requirements? What do you mean by "based on Tenant"?

 

Best regards,

Rutger

@rutgersmeets : Thanks for your response. We do built custom query for getting the results. But what we asked Microsoft is to have a button on clicking it will take me to the Log analytic workspace to get all the events based on the incident,. 

 

Now if we click on events, it takes to individual alerts pertaining to the incident.

 

Thanks,

Sangar

Hi @SangaraNarayanan,

 

Thank you for the clarification. If your aim is to ask Microsoft to add this feature to the product, I'm afraid that I have no influence on that. You would need to reach out to your Account Manager and ask for a feature request to be opened.

 

My recommendation for a direct solution is to create an Azure Workbook. In a Workbook, you can create a custom Incident Overview page and design it to your exact requirements. There are already some interesting solutions in the Content Hub that may serve as an example to what you are trying to achieve. Take a look at "Sentinel Central" or "Incident Management with Microsoft Sentinel".

 

If you're looking to develop a solution yourself, I recommend to read https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-interactive-reports#set-up... for more information. You could create two panels: one to list the active incidents in the workspace, and a second to load all the alerts for the selected incident in the results of the first query.

 

For the first panel, I recommend using the Azure Resource Manager data source, using the following endpoint of the ARM REST API: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsight.... Be sure to use the $filter option to only show recent and New incidents. A simpler setup would use a normal parameter, allowing for manual entry of the incident number. For the second panel, you could use the query I provided and pass the incident number as a parameter.

 

I realize that this may not be the answer you were looking for, but I hope it helps!

 

Kind regards,

Rutger