Forum Discussion
Exclude IN Azure Sentinel
Thanks for the quick responses. GaryBushey
If I run this it provide all product names.
SecurityIncident
| where tostring(AdditionalData.alertProductNames[0])
So i need all product name but in Azure Sentien i seprate some incidnet by Tittle. I don't want count in Summerize function.
End Results will be All produt count show up as it is. but in Azure Sentienl product total count by seprated by Title .
but when i run this query won't get results what i am loooking for . It only Showing me Azure Sentinel not other product count.
Vshah335 OK, I think I know what you want now. You want to see all the incidents, but if they were not generated from Azure Sentinel you just want to get a total number of those incidents rather than seeing each one. Is that correct?
IF that is correct, I don't think you can do it with one query. You can write a query to show all the incidents and then inside a Workbook display them as a grid and then group by the ProviderName field. This will show the count and then you can expand the Azure Sentinel one to see all the incidents.
- Ofer_Shezaf
Microsoft
How about this?
SecurityIncident
| extend product = tostring(AdditionalData.alertProductNames[0])
| where product !in ("Microsoft Cloud App Security")
| extend summarizeby = iff(product == "Azure Sentinel", Title, product)
| summarize count() by summarizeby
| sort by count_- Ofer_Shezaf Great piece of KQL code!
