Forum Discussion
Exclude IN Azure Sentinel
Vshah335 If I understand what you are asking the following code will work. It will only show those items that are NOT in the listing of products. In this case "Microsoft Cloud App Security" will not show up. I removed the extend line since it was not being used.
SecurityIncident
| where tostring(AdditionalData.alertProductNames[0]) !in ("Microsoft Cloud App Security")
| summarize count() by (tostring(AdditionalData.alertProductNames))
| sort by count_
- Vshah335Feb 25, 2021Copper Contributor
Thanks for the quick responses. GaryBushey
If I run this it provide all product names.
SecurityIncident
| where tostring(AdditionalData.alertProductNames[0])So i need all product name but in Azure Sentien i seprate some incidnet by Tittle. I don't want count in Summerize function.
End Results will be All produt count show up as it is. but in Azure Sentienl product total count by seprated by Title .
but when i run this query won't get results what i am loooking for . It only Showing me Azure Sentinel not other product count.
- GaryBusheyFeb 26, 2021Bronze Contributor
Vshah335 OK, I think I know what you want now. You want to see all the incidents, but if they were not generated from Azure Sentinel you just want to get a total number of those incidents rather than seeing each one. Is that correct?
IF that is correct, I don't think you can do it with one query. You can write a query to show all the incidents and then inside a Workbook display them as a grid and then group by the ProviderName field. This will show the count and then you can expand the Azure Sentinel one to see all the incidents.
- Ofer_ShezafFeb 28, 2021MicrosoftHow about this?
SecurityIncident
| extend product = tostring(AdditionalData.alertProductNames[0])
| where product !in ("Microsoft Cloud App Security")
| extend summarizeby = iff(product == "Azure Sentinel", Title, product)
| summarize count() by summarizeby
| sort by count_