cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclude IN Azure Sentinel

Vshah335
Copper Contributor

‎Feb 24 2021 03:04 PM

‎Feb 24 2021 03:04 PM

Exclude IN Azure Sentinel

 

I am using this query for segregation of all Azure services coming into the sentinel. 

 

SecurityIncident
extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductname))[0]))
summarize count() by (tostring(AdditionalData.alertProductNames))
|  sort by count_
 
Backgoround - In our incident dashboard all different teams incident shows  into centrally. 
Question -  Some incident we short by the title name. if we are using same query to exclude some title names won't shows me rest summerize services count. 
 
i hope you understoood. 
Any idea ? 

 

3,553 Views
0 Likes
5 Replies
Reply
5 Replies
Gary Bushey

‎Feb 25 2021 04:27 AM

‎Feb 25 2021 04:27 AM

Re: Exclude IN Azure Sentinel

@Vshah335 If I understand what you are asking the following code will work.  It will only show those items that are NOT in the listing of products. In this case "Microsoft Cloud App Security" will not show up.  I removed the extend line since it was not being used.

 

SecurityIncident
| where tostring(AdditionalData.alertProductNames[0]) !in ("Microsoft Cloud App Security")
| summarize count() by (tostring(AdditionalData.alertProductNames))
| sort by count_

0 Likes
Reply
Vshah335

‎Feb 25 2021 06:22 AM

‎Feb 25 2021 06:22 AM

Re: Exclude IN Azure Sentinel

Thanks for the quick responses. @Gary Bushey 

 

 

If I run this it provide all product names. 

SecurityIncident
| where tostring(AdditionalData.alertProductNames[0]) 

 

So i need all product name but in Azure Sentien i seprate some incidnet by Tittle. I don't want count in Summerize function.  


End Results will be All produt count show up as it is. but in Azure Sentienl product total count by seprated by Title . 

but when i run this query won't get results what i am loooking for .  It only Showing me Azure Sentinel not other product count. 

 

 

0 Likes
Reply
Gary Bushey

‎Feb 26 2021 05:27 AM

‎Feb 26 2021 05:27 AM

Re: Exclude IN Azure Sentinel

@Vshah335 OK, I think I know what you want now.  You want to see all the incidents, but if they were not generated from Azure Sentinel you just want to get a total number of those incidents rather than seeing each one.  Is that correct?

 

IF that is correct, I don't think you can do it with one query.  You can write a query to show all the incidents and then inside a Workbook display them as a grid and then group by the ProviderName field.  This will show the count and then you can expand the Azure Sentinel one to see all the incidents.

0 Likes
Reply
Ofer_Shezaf

‎Feb 28 2021 12:28 PM

‎Feb 28 2021 12:28 PM

Re: Exclude IN Azure Sentinel

How about this?

SecurityIncident
| extend product = tostring(AdditionalData.alertProductNames[0])
| where product !in ("Microsoft Cloud App Security")
| extend summarizeby = iff(product == "Azure Sentinel", Title, product)
| summarize count() by summarizeby
| sort by count_
0 Likes
Reply
Gary Bushey

‎Mar 01 2021 04:32 AM

‎Mar 01 2021 04:32 AM

Re: Exclude IN Azure Sentinel

@Ofer_Shezaf Great piece of KQL code!
0 Likes
Reply