Exclude IN Azure Sentinel

Copper Contributor

 

I am using this query for segregation of all Azure services coming into the sentinel. 

 

SecurityIncident
extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductname))[0]))
summarize count() by (tostring(AdditionalData.alertProductNames))
|  sort by count_
 
Backgoround - In our incident dashboard all different teams incident shows  into centrally. 
Question -  Some incident we short by the title name. if we are using same query to exclude some title names won't shows me rest summerize services count. 
 
i hope you understoood. 
Any idea ? 

 

5 Replies

@Vshah335 If I understand what you are asking the following code will work.  It will only show those items that are NOT in the listing of products. In this case "Microsoft Cloud App Security" will not show up.  I removed the extend line since it was not being used.

 

SecurityIncident
| where tostring(AdditionalData.alertProductNames[0]) !in ("Microsoft Cloud App Security")
| summarize count() by (tostring(AdditionalData.alertProductNames))
| sort by count_

Thanks for the quick responses. @Gary Bushey 

 

 

If I run this it provide all product names. 

SecurityIncident
| where tostring(AdditionalData.alertProductNames[0]) 

 

So i need all product name but in Azure Sentien i seprate some incidnet by Tittle. I don't want count in Summerize function.  


End Results will be All produt count show up as it is. but in Azure Sentienl product total count by seprated by Title . 

but when i run this query won't get results what i am loooking for .  It only Showing me Azure Sentinel not other product count. 

 

 

@Vshah335 OK, I think I know what you want now.  You want to see all the incidents, but if they were not generated from Azure Sentinel you just want to get a total number of those incidents rather than seeing each one.  Is that correct?

 

IF that is correct, I don't think you can do it with one query.  You can write a query to show all the incidents and then inside a Workbook display them as a grid and then group by the ProviderName field.  This will show the count and then you can expand the Azure Sentinel one to see all the incidents.

How about this?

SecurityIncident
| extend product = tostring(AdditionalData.alertProductNames[0])
| where product !in ("Microsoft Cloud App Security")
| extend summarizeby = iff(product == "Azure Sentinel", Title, product)
| summarize count() by summarizeby
| sort by count_
@Ofer_Shezaf Great piece of KQL code!