Feb 24 2021 03:04 PM
I am using this query for segregation of all Azure services coming into the sentinel.
Feb 25 2021 04:27 AM
@Vshah335 If I understand what you are asking the following code will work. It will only show those items that are NOT in the listing of products. In this case "Microsoft Cloud App Security" will not show up. I removed the extend line since it was not being used.
SecurityIncident
| where tostring(AdditionalData.alertProductNames[0]) !in ("Microsoft Cloud App Security")
| summarize count() by (tostring(AdditionalData.alertProductNames))
| sort by count_
Feb 25 2021 06:22 AM
Thanks for the quick responses. @Gary Bushey
If I run this it provide all product names.
SecurityIncident
| where tostring(AdditionalData.alertProductNames[0])
So i need all product name but in Azure Sentien i seprate some incidnet by Tittle. I don't want count in Summerize function.
End Results will be All produt count show up as it is. but in Azure Sentienl product total count by seprated by Title .
but when i run this query won't get results what i am loooking for . It only Showing me Azure Sentinel not other product count.
Feb 26 2021 05:27 AM
@Vshah335 OK, I think I know what you want now. You want to see all the incidents, but if they were not generated from Azure Sentinel you just want to get a total number of those incidents rather than seeing each one. Is that correct?
IF that is correct, I don't think you can do it with one query. You can write a query to show all the incidents and then inside a Workbook display them as a grid and then group by the ProviderName field. This will show the count and then you can expand the Azure Sentinel one to see all the incidents.
Feb 28 2021 12:28 PM