Aug 04 2021 07:00 AM
Hi Community,
I need to fetch the last 24 hours alerts on sentinel as a report. I have used the below query but that didn't work. can some one help me out on this...?
SecurityAlert
| where ProductName contains "Azure Defender OR Azure Active Directory Identity Protection"
| where AlertName = "*"
Thanks,
Kishore
Aug 04 2021 07:38 AM
@kishore_soc There are a couple of things wrong with your query
1) The "OR" that you have in contains should not be inside the quotes
2) It does not look like you need to use contains since you are looking for the exact string that would show up. Use == instead
3) The AlertName comparison requires two equal signs, ==, to act as a comparison rather than trying to set a value. Not sure that you want it to equal "*" either, as I don't see that value listed, but what is it you are trying to accomplish with this last line?
I rewrote your query to look like
SecurityAlert
| where ProductName == "Azure Defender" or ProductName == "Active Directory Identity Protection"
| where AlertName == "*"
Aug 04 2021 07:54 AM
Hi Gary,
Thanks for you prompt replay...!
I did not get any results by using the provided query. Please have a look into the below screen shot.
Thanks,
Kishore
Aug 04 2021 07:55 AM
Aug 04 2021 08:49 AM
Aug 04 2021 09:47 AM
@CliveWatson Thanks. it's working fine...!
Could you please help me out how to schedule a report for the last 24 hours alert results on daily basis...? including analyst actions and comments. when i go with the Owner entity on the logs tab it doesn't showing any. Please look into the below screenshot.
Thanks,
Kishore
Aug 04 2021 10:20 AM
@kishore_soc There is no column called Owner in the SecurityAlert table which is why you are getting the error with the project-keep command.
Aug 04 2021 10:26 AM
Aug 04 2021 10:42 AM
Solution
Scheduling a report - please see the "playbook" example here https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/06/17/log-analytics-or-azur...
"Owner" is a column in SecurityIncident not SecurityAlert - hence the failure, so you need to join the two Tables
SecurityIncident
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| where ProductName == "Azure Defender" or ProductName == "Azure Active Directory Identity Protection"
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
) on $left.AlertIds == $right.SystemAlertId
| summarize by IncidentNumber, tostring(Owner), Title, Alerts, DisplayName, IncidentSeverity=Severity, AlertSeverity, Status
Add this at the end of the last line for comments and tags (if required)
, tostring(Comments), tags=tostring(Labels)
Aug 04 2021 10:42 AM
Solution
Scheduling a report - please see the "playbook" example here https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/06/17/log-analytics-or-azur...
"Owner" is a column in SecurityIncident not SecurityAlert - hence the failure, so you need to join the two Tables
SecurityIncident
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| where ProductName == "Azure Defender" or ProductName == "Azure Active Directory Identity Protection"
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
) on $left.AlertIds == $right.SystemAlertId
| summarize by IncidentNumber, tostring(Owner), Title, Alerts, DisplayName, IncidentSeverity=Severity, AlertSeverity, Status
Add this at the end of the last line for comments and tags (if required)
, tostring(Comments), tags=tostring(Labels)